APACHE 2.2 Server for UNIX STIG Version Comparison
APACHE 2.2 Server for UNIX Security Technical Implementation Guide
Comparison
There are 6 differences between versions v1 r9 (Oct. 27, 2017) (the "left" version) and v1 r11 (Jan. 25, 2019) (the "right" version).
Check WA000-WWA050 A22 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
All interactive programs must be placed in a designated directory with appropriate permissions.
Check Content
Search for the unnecessary CGI programs which may be found in the directories configured with ScriptAlias, Script or other Script* directives. Often, CGI directories are named cgi-bin. Also, CGI AddHandler or SetHandler directives may also be in use for specific handlers such as perl, python and PHP. To search the http.conf file for Options enter the following command: grep "Options" /usr/local/apache2/conf/httpd.conf. If /usr/local/apache2/conf/httpd.conf. For every instance of “Options” in the httpd.conf file other than where CGI files are specifically located, the “ExecCGI” must be explicitly disabled (-ExecCGI). If the value for Options is not returned with a ExecCGI “-ExecCGI” , (no +) this is a finding.
Discussion
Directory options directives are directives that can be applied to further restrict access to file and directories. The Options directive controls which server features are available in a particular directory. The ExecCGI option controls the execution of CGI scripts using mod_cgi. This needs to be restricted to only the directory intended for script execution.
Fix
Locate any cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias or other Script* directives. Remove the printenv default CGI in cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/printenv. Remove the test-cgi file from the cgi-bin directory if it is installed. rm $APACHE_PREFIX/cgi-bin/test-cgi. Review and remove any other cgi-bin files which are not needed for business purposes.