STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019: STIGQter: STIG Summary: APACHE 2.2 Site for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:SV-6932r1_rule
V-2272
WG460
WG460 A22
CAT II
10
Add the TAINT call to the PERL script.
#!/usr/local/bin/perl –T
When a PERL script is invoked for execution on a UNIX server, the method which invokes the script must utilize the TAINT option.
The server’s interpreter examines the first line of the script. Typically, the first line of the script contains a reference to the script’s language and processing options.
The first line of a PERL script will be as follows:
#!/usr/local/bin/perl –T
The –T at the end of the line referenced above, tells the UNIX server to execute a PERL script using the TAINT option.
Perform the following steps:
1) grep perl httpd.conf |grep -v '#'
You should also check /apache/sysconfig.d/loadmodule.conf for PERL.
NOTE: The name of the loadmodule.conf may vary by installation.
If Apache doesn't have the mod_perl module loaded and it doesn't use PERL, this check is Not Applicable.
2) grep -i 'PerlTaintCheck' httpd.conf
If 'PerlTaintCheck on' is set, this is not a finding, and the check can stop here.
NOTE: If the PerlTaintCheck is a part of an included config file, this meets the requirement.
3) Check each individual PERL script.
From the ServerRoot directory: find . -name '*.pl'
From the DocumentRoot directory: find . -name '*.pl'
Examine the beginning of every PERL script for the -T option. If the -T option is not specified in any PERL script, this is a finding.
NOTE: This only applies to PERL scripts that are used by the web server.
NOTE: If the mod_perl module is installed and the directive “PerlTaintCheck on” in the httpd.conf is used, this satisfies the requirement.
V-2272
False
WG460 A22
WG460 - General
When a PERL script is invoked for execution on a UNIX server, the method which invokes the script must utilize the TAINT option.
The server’s interpreter examines the first line of the script. Typically, the first line of the script contains a reference to the script’s language and processing options.
The first line of a PERL script will be as follows:
#!/usr/local/bin/perl –T
The –T at the end of the line referenced above, tells the UNIX server to execute a PERL script using the TAINT option.
Perform the following steps:
1) grep perl httpd.conf |grep -v '#'
You should also check /apache/sysconfig.d/loadmodule.conf for PERL.
NOTE: The name of the loadmodule.conf may vary by installation.
If Apache doesn't have the mod_perl module loaded and it doesn't use PERL, this check is Not Applicable.
2) grep -i 'PerlTaintCheck' httpd.conf
If 'PerlTaintCheck on' is set, this is not a finding, and the check can stop here.
NOTE: If the PerlTaintCheck is a part of an included config file, this meets the requirement.
3) Check each individual PERL script.
From the ServerRoot directory: find . -name '*.pl'
From the DocumentRoot directory: find . -name '*.pl'
Examine the beginning of every PERL script for the -T option. If the -T option is not specified in any PERL script, this is a finding.
NOTE: This only applies to PERL scripts that are used by the web server.
NOTE: If the mod_perl module is installed and the directive “PerlTaintCheck on” in the httpd.conf is used, this satisfies the requirement.
M
If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.
Web Administrator
161