STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

The web server must be configured to explicitly deny access to the OS root.

DISA Rule

SV-33226r1_rule

Vulnerability Number

V-26323

Group Title

WA00540

Rule Version

WA00540 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Edit the httpd.conf file and set the root directory directive as follows:

Directory
Order deny,allow
Deny from all

Check Contents

Enter the following command:

more /usr/local/Apache2.2/conf/httpd.conf.

Review the httpd.conf file and search for the following directive:

Directory

For every root directory entry (i.e. <Directory />) ensure the following exists; if not, this is a finding.

Order deny,allow
Deny from all

If the statement above is not found in the root directory statement, this is a finding.

If Allow directives are included in the root directory statement, this is a finding.

Vulnerability Number

V-26323

Documentable

False

Rule Version

WA00540 A22

Severity Override Guidance

Enter the following command:

more /usr/local/Apache2.2/conf/httpd.conf.

Review the httpd.conf file and search for the following directive:

Directory

For every root directory entry (i.e. <Directory />) ensure the following exists; if not, this is a finding.

Order deny,allow
Deny from all

If the statement above is not found in the root directory statement, this is a finding.

If Allow directives are included in the root directory statement, this is a finding.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments