The service must meet or exceed the minimum configuration settings.
Fermilab Web Server Settings Requirements All Fermilab Apache web servers must comply with the minimum required settings in the baseline. Anything that does not meet the minimum requirements must receive an exemption from the security department.
Support Each Web service must provide the uptime for both server hardware and software that is needed for the given web content residing on that server. The system must have a documented backup procedure.
Apache Software UpdatesApache managers will apply security updates within two weeks of their release unless CST determines they need to be applied.
Scheduled Scans All Fermilab Web servers should be security scanned at least twice a year. Scan results and configuration should be stored in the central FNAL repository.
Scanning Options Scans should be done for each web server virtual host and for the underlying operating system. The CGI script directory for the scan must be configured correctly for the scanner to find each active CGI directory on the Web server. If there is a directory for CGI scripts, then the scan should include checking for script/application exploits relevant to the given platform. If PHP is enabled, then the scan should include checking for PHP-related exploits, etc. It is strongly recommended that the administrator use Nesquik to run the appropriate scans.
Logging Information Central Unix Web servers keep logging data for 90 days and store all logs in a central place in AFS. Other Web servers should keep at least 30 days of logging data. Web services must participate in the central logging, notification and alerting systems.