ࡱ>  g2\p Sain, Joe Ba= ThisWorkbook=-b(28X@"1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial12Calibri1 2Calibri12Calibri142Calibri1 2Calibri12Calibri12Calibri1,>2Calibri1>2Calibri1>2Calibri1>2Calibri142Calibri1<2Calibri1?2Calibri1h>2Cambria12Calibri1 2Calibri"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)                                                                      ff + ) , *     P  P        `            a   H )8 )8 )8 )8  h (|  )8   (@ @   (@ @   ( 8  @ @  )8@ @ )8@ @  h@ @   `@ @  )x@ @  x  @ )x (x )x  h )x  `@ @ -  x- x- )x- )x- )x-  @- (x )x  x ||aVz}A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef;_(@_) }A} 00\);_(*ef ;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L;_(@_) }A} 00\);_(*L ;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A} 00\);_(*23;_(@_) }A}  00\);_(*23;_(@_) }A}! 00\);_(*23 ;_(@_) }A}" 00\);_(*;_(@_) }A}# 00\);_(*;_(@_) }A}$ 00\);_(*;_(@_) }A}% 00\);_(*;_(@_) }A}& 00\);_(*;_(@_) }A}' 00\);_(* ;_(@_) }A}( 00\);_(*;_(@_) }}) }00\);_(*;_(@_)    }}* 00\);_(*;_(@_) ??? ??? ??? ???}-}/ 00\);_(*}A}0 a00\);_(*;_(@_) }A}1 00\);_(*;_(@_) }A}2 00\);_(*?;_(@_) }A}3 00\);_(*23;_(@_) }-}4 00\);_(*}}5 ??v00\);_(*̙;_(@_)    }A}6 }00\);_(*;_(@_) }A}7 e00\);_(*;_(@_) }x}800\);_(*;_(  }}9 ???00\);_(*;_(??? ???  ??? ???}-}; 00\);_(*}U}< 00\);_(*;_( }-}= 00\);_(*}(}N00\);_(*}(}O00\);_(*}(}P00\);_(*}(}Q00\);_(*}(}R00\);_(*}(}S00\);_(*}(}T00\);_(*}(}U00\);_(*}(}V00\);_(*}(}W|00\);_(*}(}X|00\);_(*}(}Y|00\);_(*}(}Z|00\);_(*}(}[|00\);_(*}(}\|00\);_(*}(}]|00\);_(*}(}^00\);_(*}(}_00\);_(*}(}`00\);_(* 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L渷 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ږ % 60% - Accent3M( 60% - Accent3 23כ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text % 0Good;Good  a%1 Heading 1G Heading 1 I}%O2 Heading 2G Heading 2 I}%?3 Heading 3G Heading 3 I}%234 Heading 49 Heading 4 I}% 5InputuInput ̙ ??v% 6 Linked CellK Linked Cell }% 7NeutralANeutral  e%"Normal 8Noteb Note   9OutputwOutput  ???%????????? ???:$Percent ;Title1Title I}% <TotalMTotal %OO= Warning Text? Warning Text %XTableStyleMedium9PivotStyleMedium48dq:F3ffff̙̙3f3fff3f3f33333f33333\`\/ApacheHTTPD2.28 +CCE IDCCE DescriptionCCE ParametersCCE Technical Mechanisms\CIS Security Configuration Benchmark For Apache Web Server 2.2.0 Version 2.2.0 November 2008LDISA STIG Apache SITE 2.2 for Windows Release: 1 Benchmark Date: 23 Nov 2011NDISA STIG Apache SERVER 2.2 for Windows Release: 1 Benchmark Date: 23 Nov 2011IDISA STIG Apache SITE 2.2 for Unix Release: 1 Benchmark Date: 23 Nov 2011KDISA STIG Apache SERVER 2.2 for Unix Release: 1 Benchmark Date: 23 Nov 2011YAnonymous sharing of Apache's web content directories should be configured appropriately.(1) Set of shares(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group PolicyRule Title: Web content directories must not be anonymously shared. STIG ID: WG210 W22 Rule ID: SV-33109r1_rule Vuln ID: V-2226 Severity: CAT II Class: UnclassdThe Apache AllowOverride directive should be configured appropriately for web site root directories.B(1) AuthConfig / FileInfo / Indexes / Limit / Options / All / None6(1) Apache configuration file: AllowOverride directiveB1.8 Directory Functionality Control with the Options Directive p17Rule Title: All interactive programs must be placed in a designated directory with appropriate permissions. STIG ID: WG400 W22 Rule ID: SV-36644r1_rule Vuln ID: V-2228 Severity: CAT II Class: UnclassaThe maximum password age setting for Apache's service account should be configured appropriately.(1) number of days&(1) defined by Local or Group Policy Rule Title: The service account used to run the web service must have its password changed at least annually. STIG ID: WG060 W22 Rule ID: SV-36489r1_rule Vuln ID: V-2235 Severity: CAT II Class: UnclassPThe Apachce "MaxKeepAliveRequests" directive should be configured appropriately.(1) Number value=(1) Apache configuration file: MaxKeepAliveRequests directiveRule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 W22 Rule ID: SV-33105r1_rule Vuln ID: V-2240 Severity: CAT II Class: UnclassRule Title: The number of allowed simultaneous requests must be set. STIG ID: WG110 A22 Rule ID: SV-33018r1_rule Vuln ID: V-2240 Severity: CAT II Class: UnclassiAll readable Apache web document directories should have their default webpage configured appropriately. (1) exist / not existH(1) Directories (from Apache configuration file: DocumentRoot directive)Rule Title: Each readable web document directory must contain either a default, home, index, or equivalent file. STIG ID: WG170 W22 Rule ID: SV-33107r1_rule Vuln ID: V-2245 Severity: CAT III Class: UnclassFAccess to Apache's httpd.conf file should be configured appropriately.?(1) set of accounts (2) list of permissions (3) applicability4(1) defined by (ServerRoot)\conf\httpd.conf's DACL Rule Title: Web administration tools must be restricted to the web manager and the web manager s designees. STIG ID: WG220 W22 Rule ID: SV-33072r1_rule Vuln ID: V-2248 Severity: CAT II Class: UnclassHApache's log_config_module should be enabled or disabled as appropriate.(1) log_config_module3(1) Apache configuration file: LoadModule directiveRule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 W22 Rule ID: SV-33132r1_rule Vuln ID: V-2250 Severity: CAT II Class: UnclassRule Title: Logs of web server access and errors must be established and maintained. STIG ID: WG240 A22 Rule ID: SV-33025r1_rule Vuln ID: V-2250 Severity: CAT II Class: UnclassjThe Windows permissions for all files specified by CustomLog directives should be configured appropriatelyRule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 W22 Rule ID: SV-33135r1_rule Vuln ID: V-2252 Severity: CAT II Class: Unclass"(1) defined by the object's DACL iThe Windows permissions for all files specified by ErrorLog directives should be configured appropriately\The Windows permissions of Apache's htpasswd.exe file(s) should be configured appropriately.Rule Title: The web server s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 W22 Rule ID: SV-36561r1_rule Vuln ID: V-2255 Severity: CAT II Class: UnclasssThe Windows permissions for all directories specified by ScriptAlias directives should be configured appropriately.Rule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 W22 Rule ID: SV-33136r1_rule Vuln ID: V-2258 Severity: CAT I Class: UnclassxThe Windows permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately.tThe Windows permissions for all directories specified by DocumentRoot directives should be configured appropriately.mThe Windows permissions for all directories specified by Alias directives should be configured appropriately.pThe Windows permissions for all directories specified by ServerRoot directives should be configred appropriatelyRule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 W22 Rule ID: SV-33078r1_rule Vuln ID: V-2259 Severity: CAT II Class: UnclassWThe Windows permissions of Apache's /config directory should be configred appropriatelyTThe Windows permissions of Apache's /bin directory should be configred appropriatelyUThe Windows permissions of Apache's /logs directory should be configred appropriatelyWThe Windows permissions of Apache's /htdocs directory should be configred appropriately]The Apache site's robots.txt should be configured to disallow paths and files as appropriate.-(1) User-Agent (2) Disallowed path(s)|file(s)(1) robots.txtRule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 W22 Rule ID: SV-28798r2_rule Vuln ID: V-2260 Severity: CAT II Class: UnclassRule Title: A private web server must not respond to requests from public search engines. STIG ID: WG310 A22 Rule ID: SV-33028r1_rule Vuln ID: V-2260 Severity: CAT II Class: UnclassRule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 A22 Rule ID: SV-33029r1_rule Vuln ID: V-2262 Severity: CAT II Class: UnclassRule Title: A private web server must utilize TLS v 1.0 or greater. STIG ID: WG340 W22 Rule ID: SV-14297r4_rule Vuln ID: V-2262 Severity: CAT II Class: UnclassAApache's ssl_module should be enabled or disabled as appropriate.(1) ssl_moduleRule Title: Log file data must contain required data elements. STIG ID: WG242 W22 Rule ID: SV-28654r2_rule Vuln ID: V-13688 Severity: CAT II Class: UnclassRule Title: Error logging must be enabled. STIG ID: WA00605 W22 Rule ID: SV-33147r1_rule Vuln ID: V-26279 Severity: CAT II Class: UnclassRule Title: System logging must be enabled. STIG ID: WA00615 W22 Rule ID: SV-33151r1_rule Vuln ID: V-26281 Severity: CAT II Class: UnclassRule Title: The LogLevel directive must be enabled. STIG ID: WA00620 W22 Rule ID: SV-33153r1_rule Vuln ID: V-26282 Severity: CAT II Class: UnclassRule Title: Web content directories must not be anonymously shared. STIG ID: WG210 A22 Rule ID: SV-33022r1_rule Vuln ID: V-2226 Severity: CAT II Class: Unclass01.16 Software Information Leakage Protection p291.18 Remove Default Content p331.17 Logging p30,1.13 Denial of Service Prevention Tuning p21*1.14 Buffer Overflow Protection Tuning p23*1.14 Buffer Overflow Protection Tuning p242.5 Syslog Logging p44-451.17 Logging p311.7 Restricting Access p14-15+1.19 Updating Ownership and Permissions p34,1.13 Denial of Service Preventio< n Tuning p2231.6 Creating the Apache User and Group Accounts p14'1.11 Restrict HTTP Protocol Version p19:2.7 Additional Software Information Leakage Protection p50B1.8 Directory Functionality Control with the Options Directive p161.7 Restricting Access p15Rule Title: Wscript.exe and Cscript.exe must only be accessible by the SA and/or the web administrator. STIG ID: WG470 W22 Rule ID: SV-33095r1_rule Vuln ID: V-2264 Severity: CAT II Class: UnclassRule Title: Web server and/or operating system information must be protected. STIG ID: WG520 W22 Rule ID: SV-33098r1_rule Vuln ID: V-6724 Severity: CAT III Class: UnclassRule Title: The web server, although started by superuser or privileged account, must run using a non-privileged account. STIG ID: WG275 W22 Rule ID: SV-36607r1_rule Vuln ID: V-13619 Severity: CAT II Class: UnclassRule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 W22 Rule ID: SV-33087r1_rule Vuln ID: V-13621 Severity: CAT I Class: UnclassRule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 W22 Rule ID: SV-32980r1_rule Vuln ID: V-13724 Severity: CAT II Class: UnclassRule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 W22 Rule ID: SV-32987r1_rule Vuln ID: V-13725 Severity: CAT II Class: UnclassRule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 W22 Rule ID: SV-32880r1_rule Vuln ID: V-13726 Severity: CAT II Class: UnclassRule Title: The FollowSymLinks setting must be disabled. STIG ID: WA000-WWA052 W22 Rule ID: SV-33001r1_rule Vuln ID: V-13732 Severity: CAT II Class: UnclassRule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 W22 Rule ID: SV-33003r1_rule Vuln ID: V-13733 Severity: CAT I Class: UnclassRule Title: The MultiViews directive must be disabled. STIG ID: WA000-WWA056 W22 Rule ID: SV-33004r1_rule Vuln ID: V-13734 Severity: CAT II Class: UnclassRule Title: Directory indexing must be disabled on directories not containing index files. STIG ID: WA000-WWA058 W22 Rule ID: SV-33006r1_rule Vuln ID: V-13735 Severity: CAT II Class: UnclassRule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 W22 Rule ID: SV-33008r1_rule Vuln ID: V-13736 Severity: CAT II Class: UnclassRule Title: The HTTP request header fields must be limited. STIG ID: WA000-WWA062 W22 Rule ID: SV-33009r1_rule Vuln ID: V-13737 Severity: CAT II Class: UnclassRule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 W22 Rule ID: SV-33010r1_rule Vuln ID: V-13738 Severity: CAT II Class: UnclassRule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 W22 Rule ID: SV-33011r1_rule Vuln ID: V-13739 Severity: CAT II Class: UnclassRule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 W22 Rule ID: SV-33169r1_rule Vuln ID: V-26287 Severity: CAT II Class: UnclassRule Title: Web server status module will be disabled. STIG ID: WA00510 W22 Rule ID: SV-33171r1_rule Vuln ID: V-26294 Severity: CAT II Class: UnclassRule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 W22 Rule ID: SV-33173r1_rule Vuln ID: V-26299 Severity: CAT II Class: UnclassRule Title: User specific directories must not be globally enabled. STIG ID: WA00525 W22 Rule ID: SV-33175r1_rule Vuln ID: V-26302 Severity: CAT II Class: UnclassRule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 W22 Rule ID: SV-33177r1_rule Vuln ID: V-26305 Severity: CAT II Class: UnclassRule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 W22 Rule ID: SV-33178r1_rule Vuln ID: V-26322 Severity: CAT II Class: UnclassRule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 W22 Rule ID: SV-33180r1_rule Vuln ID: V-26323 Severity: CAT II Class: UnclassRule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 W22 Rule ID: SV-33182r1_rule Vuln ID: V-26324 Severity: CAT II Class: UnclassRule Title: The TRACE method must be disabled. STIG ID: WA00550 W22 Rule ID: SV-33183r1_rule Vuln ID: V-26325 Severity: CAT II Class: UnclassRule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 W22 Rule ID: SV-33184r1_rule Vuln ID: V-26326 Severity: CAT II Class: UnclassRule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 W22 Rule ID: SV-33185r1_rule Vuln ID: V-26327 Severity: CAT II Class: UnclassRule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 W22 Rule ID: SV-33225r1_rule Vuln ID: V-26368 Severity: CAT II Class: UnclassRule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 W22 Rule ID: SV-33237r1_rule Vuln ID: V-26393 Severity: CAT II Class: UnclassRule Title: HTTP request methods must be limited. STIG ID: WA00565 W22 Rule ID: SV-33238r1_rule Vuln ID: V-26396 Severity: CAT II Class: UnclassRule Title: Log file data must contain required data elements. STIG ID: WG242 A22 Rule ID: SV-36642r1_rule Vuln ID: V-13688 Severity: CAT II Class: UnclassRule Title: Error logging must be enabled. STIG ID: WA00605 A22 Rule ID: SV-33192r1_rule Vuln ID: V-26279 Severity: CAT II Class: UnclassRule Title: System logging must be enabled. STIG ID: WA00615 A22 Rule ID: SV-33206r1_rule Vuln ID: V-26281 Severity: CAT II Class: UnclassRule Title: The LogLevel directive must be enabled. STIG ID: WA00620 A22 Rule ID: SV-33207r1_rule Vuln ID: V-26282 Severity: CAT II Class: Unclass!AC-3(4).1 CM-6.1 (ii) CM-7.1 (ii)Rule Title: Log file access must be restricted to System Administrators, Web Administrators or Auditors. STIG ID: WG250 A22 Rule ID: SV-33033r1_rule Vuln ID: V-2252 Severity: CAT II Class: UnclassRule Title: The web client account access to the content and scripts directories must be limited to read and execute. STIG ID: WG290 A22 Rule ID: SV-33027r1_rule Vuln ID: V-2258 Severity: CAT I Class: UnclassRule Title: Web server and/or operating system information must be protected. STIG ID: WG520 A22 Rule ID: SV-36672r1_rule Vuln ID: V-6724 Severity: CAT III Class: UnclassRule Title: All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. STIG ID: WG385 A22 Rule ID: SV-32933r1_rule Vuln ID: V-13621 Severity: CAT I Class: UnclassRule Title: The Timeout directive must be properly set. STIG ID: WA000-WWA020 A22 Rule ID: SV-32977r1_rule Vuln ID: V-13724 Severity: CAT II Class: UnclassRule Title: The KeepAlive directive must be enabled. STIG ID: WA000-WWA022 A22 Rule ID: SV-32844r1_rule Vuln ID: V-13725 Severity: CAT II Class: UnclassRule Title: The KeepAliveTimeout directive must be defined. STIG ID: WA000-WWA024 A22 Rule ID: SV-32877r1_rule Vuln ID: V-13726 Severity: CAT II Class: UnclassRule Title: The FollowSymLinks setting must be disabled. STIG ID: WA000-WWA052 A22 Rule ID: SV-40129r1_rule Vuln ID: V-13732 Severity: CAT II Class: UnclassRule Title: Server side includes (SSIs) must run with execution capability disabled. STIG ID: WA000-WWA054 A22 Rule ID: SV-32753r1_rule Vuln ID: V-13733 Severity: CAT I Class: UnclassRule Title: The MultiViews directive must be disabled. STIG ID: WA000-WWA056 A22 Rule ID: SV-32754r1_rule Vuln ID: V-13734 Severity: CAT II Class: UnclassRule Title: Directory indexing must be disabled on directories not containing index files. STIG ID: WA000-WWA058 A22 Rule ID: SV-32755r1_rule Vuln ID: V-13735 Severity: CAT II Class: UnclassRule Title: The HTTP request message body size must be limited. STIG ID: WA000-WWA060 A22 Rule ID: SV-32756r1_rule Vuln ID: V-13736 Severity: CAT II Class: Unclass+G66Rule Title: The HTTP request header fields must be li< mited. STIG ID: WA000-WWA062 A22 Rule ID: SV-32757r1_rule Vuln ID: V-13737 Severity: CAT II Class: UnclassRule Title: The HTTP request header field size must be limited. STIG ID: WA000-WWA064 A22 Rule ID: SV-32766r1_rule Vuln ID: V-13738 Severity: CAT II Class: UnclassRule Title: The HTTP request line must be limited. STIG ID: WA000-WWA066 A22 Rule ID: SV-32768r1_rule Vuln ID: V-13739 Severity: CAT II Class: UnclassRule Title: Web Distributed Authoring and Versioning (WebDAV) must be disabled. STIG ID: WA00505 A22 Rule ID: SV-33216r1_rule Vuln ID: V-26287 Severity: CAT II Class: UnclassRule Title: Web server status module will be disabled. STIG ID: WA00510 A22 Rule ID: SV-33218r1_rule Vuln ID: V-26294 Severity: CAT II Class: UnclassRule Title: The web server must not be configured as a proxy server. STIG ID: WA00520 A22 Rule ID: SV-33220r1_rule Vuln ID: V-26299 Severity: CAT II Class: UnclassRule Title: User specific directories must not be globally enabled. STIG ID: WA00525 A22 Rule ID: SV-33221r1_rule Vuln ID: V-26302 Severity: CAT II Class: UnclassRule Title: The web server must be configured to explicitly deny access to the OS root. STIG ID: WA00540 A22 Rule ID: SV-33226r1_rule Vuln ID: V-26323 Severity: CAT II Class: UnclassRule Title: Web server options for the OS root must be disabled. STIG ID: WA00545 A22 Rule ID: SV-33213r1_rule Vuln ID: V-26324 Severity: CAT II Class: UnclassRule Title: The TRACE method must be disabled. STIG ID: WA00550 A22 Rule ID: SV-33227r1_rule Vuln ID: V-26325 Severity: CAT II Class: UnclassRule Title: The web server must be configured to listen on a specific IP address and port. STIG ID: WA00555 A22 Rule ID: SV-33228r1_rule Vuln ID: V-26326 Severity: CAT II Class: UnclassRule Title: The URL-path name must be set to the file path name or the directory path name. STIG ID: WA00560 A22 Rule ID: SV-33229r1_rule Vuln ID: V-26327 Severity: CAT II Class: UnclassRule Title: Automatic directory indexing must be disabled. STIG ID: WA00515 A22 Rule ID: SV-33219r1_rule Vuln ID: V-26368 Severity: CAT II Class: UnclassRule Title: The ability to override the access configuration for the OS root directory must be disabled. STIG ID: WA00547 A22 Rule ID: SV-33232r1_rule Vuln ID: V-26393 Severity: CAT II Class: UnclassRule Title: HTTP request methods must be limited. STIG ID: WA00565 A22 Rule ID: SV-33236r1_rule Vuln ID: V-26396 Severity: CAT II Class: Unclass CCI-001362 CCI-001588 CCI-000381Rule Title: Web administration tools must be restricted to the web manager and the web manager s designees. STIG ID: WG220 A22 Rule ID: SV-32948r1_rule Vuln ID: V-2248 Severity: CAT II Class: UnclassRule Title: The web server s htpasswd files (if present) must reflect proper ownership and permissions. STIG ID: WG270 A22 Rule ID: SV-36478r1_rule Vuln ID: V-2255 Severity: CAT II Class: UnclassRule Title: Web server system files must conform to minimum file permission requirements. STIG ID: WG300 A22 Rule ID: SV-32938r1_rule Vuln ID: V-2259 Severity: CAT II Class: UnclassRule Title: The httpd.conf StartServers directive must be set properly. STIG ID: WA000-WWA026 A22 Rule ID: SV-36645r1_rule Vuln ID: V-13727 Severity: CAT II Class: UnclassRule Title: The httpd.conf MinSpareServers directive must be set properly. STIG ID: WA000-WWA028 A22 Rule ID: SV-36646r1_rule Vuln ID: V-13728 Severity: CAT II Class: UnclassRule Title: The httpd.conf MaxSpareServers directive must be set properly. STIG ID: WA000-WWA030 A22 Rule ID: SV-36648r1_rule Vuln ID: V-13729 Severity: CAT III Class: UnclassRule Title: The httpd.conf MaxClients directive must be set properly. STIG ID: WA000-WWA032 A22 Rule ID: SV-36649r1_rule Vuln ID: V-13730 Severity: CAT II Class: UnclassRule Title: The process ID (PID) file must be properly secured. STIG ID: WA00530 A22 Rule ID: SV-33222r1_rule Vuln ID: V-26305 Severity: CAT II Class: UnclassRule Title: The ScoreBoard file must be properly secured. STIG ID: WA00535 A22 Rule ID: SV-33223r1_rule Vuln ID: V-26322 Severity: CAT II Class: UnclassDThe Apache SSLProtocol directive should be configured appropriately.(1) SSLv2 / SSLv3 / TLSv1 / All4(1) Apache configuration file: SSLProtocol directiveBThe Apache SSLEngine directive should be configured appropriately. (1) On / Off2(1) Apache configuration file: SSLEngine directiveZThe requried permssions for the file %SystemRoot%\System32\wscript.exe should be assigned.;(1) defined by the %SystemRoot%\System32\wscript.exe DACL ZThe required permissions for the file %SystemRoot%\System32\cscript.exe should be assigned;(1) defined by the %SystemRoot%\System32\cscript.exe DACL GThe Apache "ServerTokens" directive should be configured appropriately.9(1) Prod[uctOnly] / Major / Minor / Min[imal] / OS / Full5(1) Apache configuration file: ServerTokens directive=The Apache web server be run with the appropriate privileges.1(1) Account type: ( privileged / non privileged )R(1) My Computer / Manage / Configuration / Local Users and Groups / IAll Apache's online manual should be available or removed as appropriate.'(1) manual in the Server Root directoryKApache's demo CGI printenv.pl should be available or removed as appropriateI(1) (ServerRoot)\cgi-bin\printenv.pl (2) (ServerRoot)/cgi-bin/printenv.pl^The Apache access log file data should be configured to contain the appropriate data elements.(1) LogFormat Format String2(1) Apache configuration file: LogFormat directiveBThe Apache "Timeout" directive should be configured appropriately.(1) Number value (in seconds)0(1) Apache configuration file: Timeout directiveDThe Apache "KeepAlive" directive should be configured appropriately.2(1) Apache configuration file: KeepAlive directiveKThe Apache "KeepAliveTimeout" directive should be configured appropriately.9(1) Apache configuration file: KeepAliveTimeout directivedThe Apache "FollowSymLinks" setting for all "Options" directives should be configured appropriately.=(1) FollowSymLinks / -FollowSymLinks / +FollowSymLinks / None0(1) Apache configuration file: Options directive^The Apache "Includes" setting for all "Options" directives should be configured appropriately.+(1) Includes / -Includes / +Includes / NonedThe Apache "IncludesNoExec" setting for all "Options" directives should be configured appropriately.=(1) IncludesNoExec / -IncludesNoExec / +IncludesNoExec / None`The Apache "MultiViews" setting for all "Options" directives should be configured appropriately.1(1) MultiViews / -MultiViews / +MultiViews / None]The Apache "Indexes" setting for all "Options" directives should be configured appropriately.((1) Indexes / -Indexes / +Indexes / NoneKThe Apache "LimitRequestBody" directive should be configured appropriately.(1) Number value (in bytes) 9(1) Apache configuration file: LimitRequestBody directiveLThe Apache "LimitRequestFields" directive should be configured appropriately;(1) Apache configuration file: LimitRequestFields directiveTThe Apache "LimitRequestFieldSizeBody" directive should be configured appropriately.(1) Number value (in bytes)B(1) Apache configuration file: LimitRequestFieldSizeBody directiveKThe Apache "LimitRequestline" directive should be configured appropriatley.9(1) Apache configuration file: LimitRequestLine directiveMThe path for Apache sites error log files should be configured appropriately. (1) File path1(1) Apache configuration file: ErrorLog directive=The Apache system logging should be configured appropriately./(1) File path | pipe (2) LogFormat | nickname 2(1) Apache configuration file: CustomLog directiveCThe Apache "LogLevel< " directive should be configured appropriately.?(1) debug / info / notice / warn / error / crit / alert / emerg1(1) Apache configuration file: LogLevel directivejWeb Distributed Authoring and Versioning (WebDav) dav_module should be enabled or disabled as appropriate.(1) dav_modulemWeb Distributed Authoring and Versioning (WebDav) dav_fs_module should be enabled or disabled as appropriate.(1) dav_fs_moduleoWeb Distributed Authoring and Versioning (WebDav) dav_lock_module should be enabled or disabled as appropriate.(1) dav_lock_moduleBApache's info_module should be enabled or disabled as appropriate.(1) info_module5(1) Apache configuration file: LoadModule directive DApache's status_module should be enabled or disabled as appropriate.(1) status_moduleCApache's proxy_module should be enabled or disabled as appropriate.(1) proxy_moduleGApache's proxy_ftp_module should be enabled or disabled as appropriate.(1) proxy_ftp_moduleHApache's proxy_http_module should be enabled or disabled as appropriate.(1) proxy_http_moduleKApache's proxy_connect_module should be enabled or disabled as appropriate.(1) proxy_connect_moduleFApache's proxy_ajp_module should be enabled or disabled as appropriate(1) proxy_ajp_moduleLApache's proxy_balancer_module should be enabled or disabled as appropriate.(1) proxy_balancer_moduleGUser-specific directories should be enabled or disabled as appropriate.(1) userdir_moduleYApache's process ID (PID) file's Windows permissions should be configured appropriately. RApache's Scoreboard file's Windows permissions should be configured appropriately.GThe Order directive for the OS root should be configured appropriately.,(1) Allow,Deny / Deny,Allow / Mutual-failure (1) Order directiveFThe Allow Directive for the OS root should be configured appropriately2(1) all | hostname/IP address/environment variable(1) Allow directiveEThe Deny Directive for the OS root should be configured appropriately(1) Deny directivemThe Apache "ExecCGI" setting for all "Options" directives for the OS root should be configured appropriately.'(1) ExecCGI / -ExecCGI/ +ExecCGI / NoneQ(1) Apache configuration file: Options directive (in OS root Directory directive)tThe Apache "FollowSymLinks" setting for all "Options" directives for the OS root should be configured appropriately.nThe Apache "Includes" setting for all "Options" directives for the OS root should be configured appropriately.tThe Apache "IncludesNoExec" setting for all "Options" directives for the OS root should be configured appropriately.mThe Apache "Indexes" setting for all "Options" directives for the OS root should be configured appropriately.pThe Apache "MultiViews" setting for all "Options" directives for the OS root should be configured appropriately.zThe Apache "SymLinksIfOwnerMatch" setting for all "Options" directives for the OS root should be configured appropriately.O(1) SymLinksIfOwnerMatch / -SymLinksIfOwnerMatch / +SymLinksIfOwnerMatch / NoneFThe Apache "TraceEnable" directive should be configured appropriatley.(1) on / off / extended4(1) Apache configuration file: TraceEnable directiveAApache's listening IP address should be configured appropriately.(1) IP-address/(1) Apache configuration file: Listen directive;Apache's listening port should be configured appropriately.(1) port number'(1) url-path (2) TARGET: directory path4(1) Apache configuration file: ScriptAlias directiveOThe ScriptAlias for the specified directory should be configured appropriately.JAutomatic directory indexing should be enabled or disabled as appropriate.(1) autoindex_modulelThe Apache AllowOverride Directive should be configured appropriately for operating system root directories.BPermitted HTTP request methods should be configured appropriately.)(1) methods (2) access control directives4(1) Apache configuration file: LimitExecpt directivebAnonymous sharing of Apache's web content directories with nfs should be configured appropriately.(1) via /etc/exportsbAnonymous sharing of Apache's web content directories with smb should be configured appropriately.(1) via /etc/samba/smb.conf8File permissions for httpd.conf should be set correctly.(1) permissions (1) via chmod<The httpd.conf file should be owned by the appropriate user.(1) user (1) via chown=The httpd.conf file should be owned by the appropriate group. (1) groupgThe file permissions for all files specified by CustomLog directives should be configured appropriatelySAll files specified by CustomLog directives should be owned by the appropriate userTAll files specified by CustomLog directives should be owned by the appropriate groupfThe Unix permissions for all files specified by ErrorLog directives should be configured appropriatelyRAll files specified by ErrorLog directives should be owned by the appropriate userSAll files specified by ErrorLog directives should be owned by the appropriate groupRThe Unix permissions of Apache's htpasswd file should be configured appropriately.5The htpasswd should be owned by the appropriate user.;The htpasswd file should be owned by the appropriate group.pThe Unix permissions for all directories specified by ScriptAlias directives should be configured appropriately.\All directories specified by ScriptAlias directives should be owned by the appropriate user.]All directories specified by ScriptAlias directives should be owned by the appropriate group.uThe Unix permissions for all directories specified by ScriptAliasMatch directives should be configured appropriately.aAll directories specified by ScriptAliasMatch directives should be owned by the appropriate user.bAll directories specified by ScriptAliasMatch directives should be owned by the appropriate group.qThe Unix permissions for all directories specified by DocumentRoot directives should be configured appropriately.]All directories specified by DocumentRoot directives should be owned by the appropriate user.^All directories specified by DocumentRoot directives should be owned by the appropriate group.jThe Unix permissions for all directories specified by Alias directives should be configured appropriately.VAll directories specified by Alias directives should be owned by the appropriate user.WAll directories specified by Alias directives should be owned by the appropriate group.mThe Unix permissions for all directories specified by ServerRoot directives should be configred appropriately[All directories specified by ServerRoot directives should be owned by the appropriate user.\All directories specified by ServerRoot directives should be owned by the appropriate group.ZThe Unix permissions of Apache's configuration directory should be configred appropriatelyIApache's configuration directory should be owned by the appropriate user.JApache's configuration directory should be owned by the appropriate group.QThe Unix permissions of Apache's /bin directory should be configred appropriately@Apache's /bin directory should be owned by the appropriate user.AApache's /bin directory should be owned by the appropriate group.RThe Unix permissions of Apache's /logs directory should be configred appropriatelyAApache's /logs directory should be owned by the appropriate user.BApache's /logs directory should be owned by the appropriate group.TThe Unix permissions of Apache's /htdocs directory should be configred appropriatelyCApache's /htdocs directory should be owned by the appropriate user.DApache's /htdocs directory should be owned by the appropriate group.UThe Unix permissions of Apache's /cgi-bin directory should be configred appropriatelyDApache's /cgi-bin directory should be owned by the appropriate user.EApache's /cgi-bin directory should be owned by the appropriate group.GThe Apache "StartServers" directive should be configured appropriately.5(1) Apache configuration file: StartServers directiveJThe Apache "MinSpareServers" directive should be configured appropriately.8(1) Apache configuration file: MinSpareServers directiveJThe Apache "MaxSpa< reServers" directive should be configured appropriately.8(1) Apache configuration file: MaxSpareServers directiveEThe Apache "MaxClients" directive should be configured appropriately.3(1) Apache configuration file: MaxClients directiveVApache's process ID (PID) file's Unix permissions should be configured appropriately. GApache's process ID (PID) file should be owned by the appropriate user.HApache's process ID (PID) file should be owned by the appropriate group.OApache's Scoreboard file's Unix permissions should be configured appropriately.AApache's scoreboard file should be owned by the appropriate user.HApache's scoreboard (PID) file should be owned by the appropriate group.AThe location of the Apache htpasswd file should be set correctly.(1) directory path(1) Directory of htpasswd file2The Apache User directive should be set correctly. (1) user name-(1) Apache configuration file: User directive3The Apache Group directive should be set correctly.(1) group name.(1) Apache configuration file: Group directiveAThe Apache ServerSignature directive should be set appropriately.(1) On/Off/EMail8(1) Apache configuration file: ServerSignature directiveQThe Apache runtime rewriting engine should be enabled or disabled as appropriate. (1) off/on6(1) Apache configuration file: RewriteEngine directiveOThe Apache ErrorDocument directive should be set correctly for HTTP 400 errors.(1) message/document<(1) Apache configuration file: 'ErrorDocument 400' directiveNThe ApacheErrorDocument directive should be set correctly for HTTP 401 errors.<(1) Apache configuration file: 'ErrorDocument 401' directiveNThe ApacheErrorDocument directive should be set correctly for HTTP 403 errors.<(1) Apache configuration file: 'ErrorDocument 403' directiveNThe ApacheErrorDocument directive should be set correctly for HTTP 404 errors.<(1) Apache configuration file: 'ErrorDocument 404' directiveNThe ApacheErrorDocument directive should be set correctly for HTTP 405 errors.<(1) Apache configuration file: 'ErrorDocument 405' directiveNThe ApacheErrorDocument directive should be set correctly for HTTP 500 errors.<(1) Apache configuration file: 'ErrorDocument 500' directiveDThe Apache user account should be locked or unlocked as appropriate.(1) locked/unlocked(1) via /etc/passwdIThe Apache user account should be allowed root privileges as appropriate.(1) allowed/not allowedHThe group membership of the Apache user account should be set correctly.(1) via /etc/groupPThe ownership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) ownerWThe group membership of the Apache /etc/httpd/conf/passwd file should be set correctly. (1) via chgrpSThe permissions for the Apache /etc/httpd/conf/passwd file should be set correctly.GThe ownership of the Apache /var/www/html file should be set correctly.NThe group membership of the Apache /var/www/html file should be set correctly.IThe permissions for the Apache/var/www/html file should be set correctly.MThe ownership of log files in Apache /var/log/httpd/ should be set correctly.TThe group membership of any Apache files in /var/log/httpd/ should be set correctly.OThe permissions of any Apache files in /var/log/httpd/ should be set correctly.KThe ownership of the Apache /etc/httpd/conf.d file should be set correctly.RThe group membership of the Apache /etc/httpd/conf.d file should be set correctly.NThe permissions for the Apache /etc/httpd/conf.d file should be set correctly.JThe ownership of the Apache /usr/sbin/httpd file should be set correctly. QThe group membership of the Apache /usr/sbin/httpd file should be set correctly. MThe permissions for the Apache /usr/sbin/httpd file should be set correctly. MThe ownership of the Apache /usr/sbin/apachectl file should be set correctly.TThe group membership of the Apache /usr/sbin/apachectl file should be set correctly.PThe permissions for the Apache /usr/sbin/apachectl file should be set correctly.^The "FollowSymLinks" setting of the DocumentRoot should be enabled or disabled as appropriate.V(1) Apache configuration file: Options directive (in DocumentRoot Directory directive)XThe"Includes" setting of the DocumentRoot should be enabled or disabled as appropriate. ^The "IncludesNOEXEC" setting of the DocumentRoot should be enabled or disabled as appropriate.WThe "Indexes" setting of the DocumentRoot should be enabled or disabled as appropriate.YThe"MultiViews" setting of the DocumentRoot should be enabled or disabled as appropriate.WThe "ExecCGI" setting of the DocumentRoot should be enabled or disabled as appropriate.WThe Order directive for all DocumentRoot directives should be configured appropriately.T(1) Apache configuration file: Order directive (in DocumentRoot Directory directive)]The Order directive for the specified Directory directive should be configured appropriately.O (1) TARGET: Directory directive (2) Apache configuration file: Order directive]The Allow directive for the specified Directory directive should be configured appropriately.\The Deny directive for the specified Directory directive should be configured appropriately.+testcgi should be installed as appropriate.(1) exist/not exist(1) cgi-script directory\CIS Security Configuration Benchmark For Apache Web Server 2.2 Version 3.1.0 June 11th, 20121.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more. p71 1.2.2 Enable the Log Config Module (Level 1, Scorable) For dynamically loaded modules, add or modify the LoadModule directive so that it is present in the apache configuration as below and not commented out : LoadModule log_config_module modules/mod_log_config.so p121.7.1 Install mod_ssl and/or mod_nss (Level 1, Scorable) Ensure the mod_ssl and/or mod_nss is loaded in the Apache configuration: # httpd -M | egrep 'ssl_module|nss_module' p591.7.4 Restrict weak SSL Protocols and Ciphers (Level 1, Scorable) Add or modify the following line in the Apache server level configuration and every virtual host that is SSL enabled: SSLProtocol -ALL +SSLv3 +TLSv1 p651.5.4 Remove Default HTML Content (Level 1, Scorable) Remove the Apache user manual content or comment out configurations referencing the manual # yum erase httpd-manual page 371.8.1 Limit Information in the Server Token (Level 1, Scorable) Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod page 681.5.5 Remove Default CGI Content printenv (Level 1, Scorable) Remove the printenv default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/printenv page 391.6.2 Configure the Access Log (Level 1, Scorable) Add or modify the LogFormat directives in the Apache configuration to use the standard and recommended combined format show as shown below. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined1.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter. Timeout 10 page 711.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that Keepalive connections are enabled. KeepAlive On page 711.9.1 Denial of Service Mitigation (Level 1, Scorable) Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less. KeepAliveTimeout 15 page 711.5.3 Minimize Options for Other Directories (Level 1, Scorable) FollowSymLinks & SymLinksIfOwnerMatch  The following of symbolic links is not recommended and should be disabled if possible. Page 35 1.5.3 Minimize Options for Other Directories Includes & Inclu< desNOEXEC  The IncludesNOEXEC option should only be needed when server side includes are required. The full Includes option should not be used as it also allows execution of arbitrary shell commands. Page 351.5.3 Minimize Options for Other Directories (Level 1, Scorable) Multiviews  Is appropriate if content negotiation is required such as for multiple language are supported. Page 351.5.3 Minimize Options for Other Directories (Level 1, Scorable) Indexes  The Indexes option causes automatic generation of indexes, if the default index page is missing, and should be disabled unless required. Page 35Q1.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server. LimitRequestBody 102400 page 7331.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100. LimitRequestFields 100 page 731.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less. LimitRequestFieldsize 1024 page 731.9.2 Buffer Overflow Mitigation (Level 2, Scorable) Add or modify the LimitRequestline directive in the Apache configuration to have a value of 512 or shorter. LimitRequestline 512 page 72 1.6.1 Configure the Error Log (Level 1, Scorable) Add an ErrorLog directive if not already configured. The file path may be relative or absolute, or the logs may be configured to be sent to a syslog server. ErrorLog "logs/error_log" Add a similar ErrorLog directive for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs, and needs the skills/training/tools for monitor the logs. page 501.6.2 Configure the Access Log (Level 1, Scorable) Add or modify the CustomLog directives in the Apache configuration to use the combined format with an appropriate log file, syslog facility or piped logging utility. CustomLog log/access_log combined Add a similar CustomLog directives for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs, and needs the skills/training/tools for monitor the logs. page 51~1.6.1 Configure the Error Log (Level 1, Scorable) Add or modify the LogLevel in the apache configuration to have a value of notice or lower. Note that is it is compliant to have a value of info or debug if there is a need for a more verbose log and the storage and monitoring processes are capable of handling the extra load. The recommended value is notice. LogLevel notice page 50$1.2.3 Disable WebDAV modules (Level 1, Scorable) For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules the from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so page 131.2.4 Disable Status module (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script with the --disable-status configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-status b) For dynamically loaded modules comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file. ##LoadModule status_module modules/mod_status.so page 141.2.8 Disable Info module (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_info in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file. ##LoadModule info_module modules/mod_info.so Page 181.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so Page 161.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so Page 161.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_http_module modules/mod_proxy_http.so Page 161.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_connect_module modules/mod_proxy_connect.so Page 161.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_connect_module modules/mod_proxy_ajp.so Page 161.2.6 Disable Proxy Modules (Level 1, Scorable) a) For source builds with static modules run the Apache ./configure script without including the mod_proxy in the --enable-modules= configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules the from the httpd.conf file. ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so Page 161.2.7 Disable User Directories Modules (Level 1, Scorable) 1. For source builds with static modules run the Apache ./configure script with the --disable-userdir configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure --disable-userdir 2. For dynamically loaded modules comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file. ##LoadModule userdir_module modules/mod_userdir.so Page 171.4.1 Deny Access to OS Root Directory (Level 1, Scorable) E< nsure there is a single Order directive and set the value to deny, allow Page 271.4.1 Deny Access to OS Root Directory (Level 1, Scorable) Ensure there is a Deny directive, and set the value to from all. allow Page 271.4.1 Deny Access to OS Root Directory (Level 1, Scorable) Remove any Allow directives from the root element. allow Page 27o1.5.1 Restrict Options for the OS Root Directory (Level 1, Scorable) Set the value for Options to None. Page 33#1.5.8 Disable HTTP TRACE Method (Level 1, Scorable) Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or . TraceEnable off Page 42-431.9.3 Restrict Listen Directive (Level 2, Scorable) The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically a Listen directive with no IP address specified, or with an IP address of zeros should not be used. Page 741.2.5 Disable Autoindex module (Level 1, Scorable) For source builds with static modules run the Apache ./configure script with the --disable-autoindex configure script options. $ cd $DOWNLOAD/httpd-2.2.22 $ ./configure  disable-autoindex b) For dynamically loaded modules comment out or remove the LoadModule directive for mod_autoindex module the from the httpd.conf file. ## LoadModule autoindex_module modules/mod_autoindex.so Page 14-15y1.4.3 Restrict OverRide for the OS Root Directory (Level 1, Scorable) Set the value for AllowOverride to None. Page 30-311.5.7 Limit HTTP Request Methods (Level 1, Scorable) For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods. Page 40-411.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 21-221.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if executable is not appropriate. Page 22-23M1.3.5 Apache Directory and File Permissions (Level 1, Scorable) Perform the following to set the permissions on the $APACHE_PREFIX directories, and then remove other read permissions on the bin directory and its contents: 23 | P a g e # chmod  R u=rwX,g=rX,o=rX $APACHE_PREFIX # chmod  R u=rwX,g=rX,o=X $APACHE_PREFIX/bin Page 22-231.3.8 Pid File Security (Level 1, Scorable) Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root), Page 25s1.3.8 Pid File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 251.3.9 ScoreBoard File Security (Level 1, Scorable) Change the permissions so that the directory is only writable by root, or the user under which apache initially starts up (default is root), Page 26z1.3.9 ScoreBoard File Security (Level 1, Scorable) Change the ownership and group to be root:root, if not already. Page 261.5.10 Restrict Access to .ht* files (Level 1, Scorable) Also a common name for web password and group files is .htpasswd and .htgroup. Neither of these files should be placed in the document root Page 451.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Configure the Apache user and group in the Apache configuration file httpd.conf: User apache Page 191.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Configure the Apache user and group in the Apache configuration file httpd.conf: Group apache Page 191.8.2 Limit Information in the Server Signature (Level 1, Scorable) Add or modify the ServerSignature directive as shown below to have the value of Off: ServerSignature Off Page 68-691.5.9 Restrict HTTP Protocol Versions (Level 1, Scorable) Add the RewriteEngine directive to the configuration within the global server context with the value of on so that the rewrite engine is enabled. RewriteEngine On Page 43-441.3.3 Lock the Apache User Account (Level 1, Scorable) Use the passwd command to lock the apache account: # passwd -l apache Page 211.3.1 Run the Apache Web Server as a non-root user (Level 1, Scorable) Although Apache typically is started with root privileges in order to listen on port 80 and 443, it can and should run as another non-root user in order to perform the web services. Page 191.5.2 Restrict Options for the Web Root Directory (Level 1, Scorable) Add or modify any existing Options directive to have a value of None or Multiviews, if multiviews are needed. Page 341.5.7 Limit HTTP Request Methods (Level 1, Scorable) Search for the <Directory> directive on the document root directory & Ensure that the access control order within the <Directory> directive is allow, deny. Order allow,deny Page 411.4.2 Allow Appropriate Access to Web Content (Level 1, Not Scorable) Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements & Add a single Order directive and set the value to deny, allow. Page 28-29Q1.4.2 Allow Appropriate Access to Web Content (Level 1, Not Scorable) Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements & Include the appropriate Allow and Deny directives, with values that are appropriate for the purposes of the directory. Page 28-291.5.6 Remove Default CGI Content test-cgi (Level 1, Scorable) Remove the test-cgi default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/test-cgi Page 39-401.3.4 Apache Directory and File Ownership (Level 1, Scorable) The Apache directories and files should be owned by root with the root (or root equivalent) group. Page 211.3.4 Apache Directory and File Ownership (Level 1, Scorable) the Apache web document root ($APACHE_PREFIX/htdocs) are likely to need a designated group to allow web content to be updated (such as webupdate) through a change management process. Page 211.3.5 Apache Directory and File Permissions (Level 1, Scorable) The permission on the Apache directories should be rwxr-xr-x (755) and the file permissions should be similar except not executable if<  executable is not appropriate. & exception in some cases may have a designated group with write access for the Apache web document root ($APACHE_PREFIX/htdocs) are likely to need a designated group to allow web content to be updated.1.3.6 Core Dump Directory Security (Level 1, Scorable) must be owned by root and have a group ownership of the Apache group (as defined via the Group directive) # chown root:apache /var/log/httpd Page 231.3.6 Core Dump Directory Security (Level 1, Scorable) must have no read-write-search access permission for other users. # chmod o-rwx /var/log/httpd Page 23 CCE-27779-8 CCE-27516-4 CCE-27868-9 CCE-27830-9 CCE-27745-9 CCE-27780-6 CCE-27782-2 CCE-27839-0 CCE-27750-9 CCE-27599-0 CCE-27799-6 CCE-27705-3 CCE-27840-8 CCE-27771-5 CCE-27843-2 CCE-27240-1 CCE-27829-1 CCE-27306-0 CCE-27813-5 CCE-27773-1 CCE-27872-1 CCE-27740-0 CCE-27576-8 CCE-27753-3 CCE-27598-2 CCE-27380-5 CCE-27686-5 CCE-27469-6 CCE-27870-5 CCE-27639-4 CCE-27688-1 CCE-27456-3 CCE-27330-0 CCE-27877-0 CCE-27764-0 CCE-27666-7 CCE-27757-4 CCE-27657-6 CCE-27618-8 CCE-27741-8 CCE-27554-5 CCE-27426-6 CCE-27822-6 CCE-27794-7 CCE-27879-6 CCE-27132-0 CCE-27861-4 CCE-27583-4 CCE-27852-3 CCE-27357-3 CCE-27825-9 CCE-27788-9 CCE-27881-2 CCE-27579-2 CCE-27824-2 CCE-27887-9 CCE-27682-4 CCE-27845-7 CCE-27819-2 CCE-27510-7 CCE-27415-9 CCE-27684-0 CCE-27067-8 CCE-27134-6 CCE-27679-0 CCE-27506-5 CCE-27545-3 CCE-27692-3 CCE-27806-9 CCE-27531-3 CCE-27862-2 CCE-27246-8 CCE-27733-5 CCE-27759-0 CCE-27536-2 CCE-27776-4 CCE-27677-4 CCE-27612-1 CCE-27000-9 CCE-27890-3 CCE-27648-5 CCE-27400-1 CCE-27304-5 CCE-27876-2 CCE-27864-8 CCE-27724-4 CCE-27494-4 CCE-27481-1 CCE-27332-6 CCE-27873-9 CCE-27292-2 CCE-27282-3 CCE-27777-2 CCE-27619-6 CCE-27884-6 CCE-27384-7 CCE-27772-3 CCE-27492-8 CCE-27664-2 CCE-27627-9 CCE-27672-5 CCE-27460-5 CCE-27787-1 CCE-27548-7 CCE-27826-7 CCE-26950-6 CCE-27833-3 CCE-27800-2 CCE-27911-7 CCE-27709-5 CCE-27685-7 CCE-27540-4 CCE-27818-4 CCE-27602-2 CCE-27041-3 CCE-27699-8 CCE-27866-3 CCE-27793-9 CCE-27919-0 CCE-27820-0 CCE-27435-7 CCE-27449-8 CCE-27810-1 CCE-27848-1 CCE-27696-4 CCE-27851-5 CCE-27930-7 CCE-27126-2 CCE-27815-0 CCE-27859-8 CCE-27667-5 CCE-27756-6 CCE-27566-9 CCE-27883-8 CCE-27903-4 CCE-27791-3 CCE-27910-9 CCE-27680-8 CCE-27390-4 CCE-27860-6 CCE-27817-6 CCE-27781-4 CCE-27878-8 CCE-27722-8 CCE-27302-9 CCE-27700-4 CCE-27837-4 CCE-27856-4 CCE-27841-6 CCE-27854-9 CCE-27714-5 CCE-27422-5 CCE-27943-0 CCE-27497-7 CCE-27601-4 CCE-27462-1 CCE-27217-9 CCE-27273-2 CCE-27915-8 CCE-27935-6 CCE-26955-5 CCE-27901-8 CCE-27519-8 CCE-27892-9 CCE-27509-9 CCE-27382-1 CCE-27944-8 CCE-27897-8 CCE-27882-0 CCE-27313-6 CCE-26965-4 CCE-27023-1 CCE-27913-3Last modfied: 2013-02-11Version: 5.201302141 23U6;*9Mk< @6D I/zLpPQSX?^> ac`hm@spxK: J%$5%}XmH2 gwMAH p gChʭ X 6! - / u m@uL9[fFm&M-v V}6]=   f  Fm  &M  cc PK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭VMԯNDJ++2a,/$nECA6٥D-ʵ? dXiJF8,nx (MKoP(\HbWϿ})zg'8yV#x'˯?oOz3?^?O?~B,z_=yǿ~xPiL$M>7Ck9I#L nꎊ)f>\<|HL|3.ŅzI2O.&e>Ƈ8qBۙ5toG1sD1IB? }J^wi(#SKID ݠ1eBp{8yC]$f94^c>Y[XE>#{Sq c8 >;-&~ ..R(zy s^Fvԇ$*cߓqrB3' }'g7t4Kf"߇ފAV_] 2H7Hk;hIf;ZX_Fڲe}NM;SIvưõ[H5Dt(?]oQ|fNL{d׀O&kNa4%d8?L_H-Ak1h fx-jWBxlB -6j>},khxd׺rXg([x?eޓϲكkS1'|^=aѱnRvPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!0ktheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK]  g2 ,lZ6k~vvNʿ  dMbP?_*+%&?'?(?)?M \\MBPS1\1S153A-LX(S odXXLetterPRIV0''''d"\KhC>i$SMTJLexmark Universal PS3Resolution600dpiOutputBinPrinterSettingStapleLocationFalseHolePunchFalseJogFalseFoldLocationFalseCollateTrueBookletNoCoverFalseBookletFFrontCoverFalseBookletBFrontCoverFalseBookletFBackCoverFalseBookletBBackCoverFalseBookletMaintainFalseBasicLayoutTrueFinisherBookletNoFoldJCLTonerDarknessNoneMediaTypeNoneBookletMediaTypeNoneAllColorsToBlackFalseDuplexNoneJCLPortRotationNoneHasKeepPreviousPHJobsTrueHasPrintandHoldTrueAdvancedBoookletAlgorithmTrueStatusWindowFalseShowStatusWindowAfterPrintingFalseHasPrintQualityTrueBitmapIDNoneSmallFontEnhancerFalsePixelBoostTrueNewDuplexTrueIsCustomPageTruePageSizeLetterPageRegionInputSlot*UseFormTrayTableBookletInputSlotAutoSelect"KMXLArialHdArialHd< UseSameSize"d,,??&U} } /?} ?} 2?} >} %Q} %R}  %]}   J J bI                              KLLMNOWWWW KLLMNOWWWW I I I I > ` P X Y  Y  Y E ? ? ? N_ Z ZZZ F @ ? ?N _ Z ZZZ G ? ? ? N_Z Z  ZZ H B B BC ^T [[  [ [ H B B B CUT [ [[[ H B B! B"CUT[ [#  [[ H B$ B% B& C S T [' [ [( [ H B) B! B+ CUT [* [[[ H B, B! B+ CUT [* [[[ H B- B! B+ CUT[ [. [[ H B/ B! B+ CUT [0 [[[ H B1 B! B+ CUT [0 [[[ H B2 B! B+ CUT [0 [[[ H B3 B! B+ CUT [0 [[[ H B4 B! B+CUT[ [5  [[ H B6 B! B+CUT[ [5  [[ H B7 B! B+CUT[ [5  [[ H B8 B! B+CUT[ [5  [[ H B9 B! B+CUT[ [5  [[ H B: B; B< CUT [=[  [> [ H BA BB B&C ST [@[  [? [ H B B BC ST [@[  [? [ H B B B CUT [@[  [? [ H B B! BCUT[ [X  [[ H B B! BCUT[ [X  [[ H B B BC S TH[ [Y [  [| H B B BCUT[ [Z  [[ H B B BC S T[ [[ [  [} H B B BC S TI[ [[ [  [}D"l**dndffffffffffffffxxfff ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  H B B B C S TJ [C [ [u [ !H !B !B !B!C !S !TK![ ![\! [ ! [~ "H "B "B "B"C "S "TK"[ "[]" [ " [ #H #B #B #B#C #S #TK#[ #[^# [ # [ $H $B $B $B$C $S $T[ $[_$ [ $ [ %H %B %B %B%C %S %T[ %[`% [ % [ &H &B &B &B&C &S &T[ &[`& [ & [ 'H 'B 'B 'B'C 'S 'T[ '[a' [ ' [ (H (B (B (B(C (S (T[ ([b( [ ( [ )H  )B )B )B)C )S )TL)[ )[c) [ ) [ *H  *B *B *B*C *S *TM*[ *[d* [ * [ +H  +B +B +B+C +S +TM+[ +[e+ [ + [ ,H  ,B ,B ,B,C ,S ,TM,[ ,[f, [ , [ -H  -B -B -B-C -S -TN -[D-[ - [v- [ .H .B .B .B.C .S .TO .[E.[ . [w. [ /H /B /D /D/C /S /TO /[F/[ / [x/ [ 0H 0B 0B 0B&0C 0S 0T[ 0[g0 [ 0 [ 1H 1B 1B 1B&1C 1S 1T[ 1[g1 [ 1 [ 2H 2B 2B 2B&2CUT[ 2[g2 [ 2 [ 3H 3B 3B 3B3C 3S 3T[ 3[h3 [ 3 [ 4H 4B 4B 4B&4C 4S 4T[ 4[h4 [ 4 [ 5H 5B 5B 5B&5C 5S 5T[ 5[i5 [ 5 [ 6H 6B 6B 6B&6C 6S 6T[ 6[i6 [ 6 [ 7H 7B 7B 7B&7C 7S 7T[ 7[i7 [ 7 [ 8H 8B 8B 8B&8C 8S 8T[ 8[i8 [ 8 [ 9H 9B 9B 9B&9C 9S 9T[ 9[i9 [ 9 [ :H :B :B :B&:C :S :T[ :[i: [ : [ ;H ;B ;B ;B&;C ;S ;T[ ;[j; [ ; [ <H <B <B! <B+<CUT[ <[k < [[ =H =B =B! =B+=CUT[ =[l = [[ >H >B >B >B>C >S >T[ >[m> [ > [ ?H ?B ?B ?B?C ?S ?TP?[ ?[m? [ ? [D(lpff@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _  @H  @B @B @B@C @S @TP@[ @[m@ [ @ [ AH! AB AB ABAC AS AT[ A[nA [ A [ BH" BB BB BBBC BS BT[ B[nB [ B [ CH# CB CB CBCC CS CT[ C[nC [ C [ DH$ DB DB DBDC DS DT[ D[nD [ D [ EH% EB EB EBEC ES ET[ E[nE [ E [ FH& FB FB FBFC FS FT[ F[nF [ F [ GH' GB GB GBGC GS GT[ G[nG [ G [ HH( HB HB  HB HC HS HT[ H[oH [ H [ IH) IB  IB  IB IC IS IT[ I[pI [ I [ JH* JB JB JB JC JS JT[ J[pJ [ J [ KH+ KB KB KBKCUT[ K[qK [ K [ LH, LB LB LB&LC LS LT[ L[rL [ L [ MH- MB MB MBMC MS MTM[ M[sM [ M [ NH. NB NB NBNC NS NT[ N[tN [ N [ OH/ OB OB OB OCUT O[GO[ O [y O [ PH0 PB PB PBPCUT[[ P [GP [ QH1 QB QB QB QCU QTQ Q[[[ Q [ RH2 RB  RB! RB" RCU RTQ R[[[ R [ SH3 SB# SB$ SB" SCU STQ S[[[ S [ TH4 TB% TB TBTCST[[ T [zT [ UH5 UB& UB! UB"UCST[[ U [zU [ VH6 VB' VB$ VB"VCST[[ V [zV [ WH7 WB( WB WBWCST[[ W [zW [ XH8 XB) XB! XB"XCST[[ X [zX [ YH9 YB* YB$ YB"YCST[[ Y [zY [ ZH: ZB+ ZB ZB ZCU ZTQ Z[[[ Z [ [H; [B, [B! [B" [CU [TQ [[[[ [ [ \H< \B- \B$ \B" \CU \TQ \[[[ \ [ ]H= ]B. ]B ]B]C ]S ]T[[ ] [{] [ ^H> ^B/ ^B! ^B"^C ^S ^T[[ ^ [{^ [ _H? _B0 _B$ _B"_C _S _T[[ _ [{_ [Dlp|drrrddddddrrrxx` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~   `H@ `B1 `B `B`C `S `T[[ ` [{` [ aHA aB2 aB! aB"aC aS aT[[ a [{a [ bHB bB3 bB$ bB"bC bS bT[[ b [{b [ cHC cB4 cB cBcC cS cT[[ c [{c [ dHD dB5 dB! dB"dC dS dT[[ d [{d [ eHE eB6 eB$ eB"eC eS eT[[ e [{e [ fHF fB7 fB fBfC fS fT[[ f [{f [ gHG gB8 gB! gB"gC gS gT[[ g [{g [ hHH hB9 hB$ hB"hC hS hT[[ h [{h [ iHI iB: iB iBiCUT[[[ i [ jHJ jB; jB! jB"jCUT[[[ j [ kHK kB< kB$ kB"kCUT[[[ k [ lHL lB= lB lBlC lS lTQ l[[[ l [ mHM mB> mB! mB"mC mS mTQ m[[[ m [ nHN nB? nB$ nB"nC nS nTQ n[[[ n [ oHO oB@ oB oBoC oSoT[[[ o [ pHP pBA pB! pB"pC pSpT[[[ p [ qHQ qBB qB$ qB"qC qSqT[[[ q [ rHR rBC rB rBrC rSrT[[[ r [ sHS sBD sB! sB"sC sSsT[[[ s [ tHT tBE tB$ tB"tC tStT[[[ t [ uHU uBF uB uBuC uSuT[[[ u [ vHV vBG vB! vB"vC vSvT[[[ v [ wHW wBH wB$ wB"wC wSwT[[[ w [ xHX xBI xB xBxC xSxT[[[ x [ yHY yBJ yB! yB"yC ySyT[[[ y [ zHZ zBK zB$ zB"zC zSzT[[[ z [ {H[ {BL {B {BM {CU {TR {[[[ { [ |H\ |BN |B |BO |CU |TR |[[[ | [ }H] }BP }B }BQ }CU }TR }[[[ } [ ~H^ ~BR ~B ~BS ~CU ~TR ~[[[ ~ [ H_ BT B BC ST[[[  [Dlxxxxxxxxx\\\|||pppppppppppprrrr                                 H` BU B! B"C ST[[[ [ Ha BV B$ B"C ST[[[ [ Hb BW B BC ST[[[ [ Hc BX B! B"C ST[[[ [ Hd BY B$ B"C ST[[[ [ He BZ B[ B\C ST[[[[ Hf B] B^ B_C S TS[[[[ Hg B` Ba BbC S TS[[[[ Hh Bc Bd BeC S TH[[[[ Hi Bf Bg BhC S TT[[[[ Hj Bi Bj Bk CU TU[[[[ Hk Bl Bj Bm CU TU[[[[ Hl Bn Bj Bo CU TU[[[[ Hm Bp Bj Bq CU TU[[[[ Hn Br Bj Bs CU TU[[[[ Ho Bt Bj Bu CU TU[[[[ Hp Bv Bw BxC ST[[[[ Hq By Bz BxC S TS[[[[ Hr B{ B$ B|C S TS[[[[ Hs B} B~ B" CU TQ[[[[ Ht B B$ B CU TQ[[[[ Hu B B B" CU TQ[[[[ Hv B B~ B" CU TQ[[[[ Hw B B$ B CU TQ[[[[ Hx B B B" CU TQ[[[[ Hy B B~ B"C S TQ[[[[ Hz B B$ BC S TQ[[[[ H{ B B B"C S TQ[[[[ H| B B~ B" CU TQ[[[[ H} B B$ B CU TQ[[[[ H~ B B B" CU TQ[[[[ H B B~ B" CU TQ[[[[ Dlpppppdppppffffffdppffffffpppfff                                 H B B$ B CU TQ[[[[ H B B B" CU TQ[[[[ H B B~ B" CU TQ[[[[ H B B$ B CU TQ[[[[ H B B B" CU TQ[[[[ H B B BC S TV[[[[ H B B BC S TV[[[[ H B B BC S TV[[[[ H B B BC S TV[[[[ H B B BC S T[[[[ H B B BC S TV[[[[ H B B BC S TW[[[[ H B B BC S TW[[[[ H B B BC S TP[[[[ H B B BC S TP[[[[ H B B BC S TI[[[[ AAAV\\\\ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ D lfffffppppppppppp$                      ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZZZ ZZ04 >@]ZA  Sheet1ggD@ Oh+'0@H`t Sain, Joseph A. Sain, JoeMicrosoft Macintosh Excel@`s,@4_՜.+,0HP X`hp x  ApacheHTTPD2.2  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry F@WorkbookSummaryInformation(DocumentSummaryInformation8