STIGQter: STIG Summary: Apache Server 2.4 UNIX Site Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.

DISA Rule

SV-214284r612241_rule

Vulnerability Number

V-214284

Group Title

SRG-APP-000141-WSR-000087

Rule Version

AS24-U2-000350

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Set the root directory directive as follows:

<Directory>
...
Require all denied
...
</Directory>

Remove any "Deny" and "Allow" directives from the root <Directory> element.

Restart Apache: apachectl restart

Check Contents

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify there is a single "Require" directive with the value of "all denied".

Verify there are no "Allow" or "Deny" directives in the root <Directory> element.

The following may be useful in extracting root directory elements from the Apache configuration for auditing:

# perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

If there are "Allow" or "Deny" directives in the root <Directory> element, this is a finding.

Vulnerability Number

V-214284

Documentable

False

Rule Version

AS24-U2-000350

Severity Override Guidance

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Verify there is a single "Require" directive with the value of "all denied".

Verify there are no "Allow" or "Deny" directives in the root <Directory> element.

The following may be useful in extracting root directory elements from the Apache configuration for auditing:

# perl -ne 'print if /^ *<Directory *\//i .. /<\/Directory/i' $APACHE_PREFIX/conf/httpd.conf

If there are "Allow" or "Deny" directives in the root <Directory> element, this is a finding.

Check Content Reference

Target Key

3997

Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments