STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019: STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:SV-30576r1_rule
V-2227
WG360
WG360 A22
CAT I
10
Disable symbolic links.
Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs).
Use ls –al.
An entry, such as the following, would indicate the presence and use of symbolic links:
lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs
Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file:
<Directory /[website root dir]>
Options FollowSymLinks
AllowOverride None
</Directory>
The above configuration is incorrect and is a finding. The correct configuration is:
<Directory /[website root dir]>
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>
Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.
V-2227
False
WG360 A22
Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs).
Use ls –al.
An entry, such as the following, would indicate the presence and use of symbolic links:
lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs
Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file:
<Directory /[website root dir]>
Options FollowSymLinks
AllowOverride None
</Directory>
The above configuration is incorrect and is a finding. The correct configuration is:
<Directory /[website root dir]>
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>
Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.
M
System Administrator
161