APACHE 2.2 Site for UNIX STIG Version Comparison
APACHE 2.2 Site for UNIX Security Technical Implementation Guide
Comparison
There are 1 differences between versions v1 r9 (Oct. 27, 2017) (the "left" version) and v1 r11 (Jan. 25, 2019) (the "right" version).
Check WG290 A22 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
Web client access to the content directories must be restricted to read and execute.
Check Content
To view the value of Alias enter the following command: grep "Alias" /usr/local/apache2/conf/httpd.conf Alias ScriptAlias ScriptAliasMatch Review the results to determine the location of the files listed above. Enter the following command to determine the permissions of the above file: ls -Ll /file-path The only accounts listed should be the web administrator, developers, and the account assigned to run the apache server service. If service. If accounts that don’t need access to these directories are listed, this is a finding. If finding. If the permissions assigned to the account for the Apache web server service, or any group to which the Apache web server service belongs, is greater than Read & Execute (R_E), this is a finding.
Discussion
Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.
Fix
Assign the appropriate permissions to the applicable directories and files using the chmod command.