STIGQter: STIG Summary: APACHE 2.2 Server for UNIX Security Technical Implementation Guide Version: 1 Release: 11 Benchmark Date: 25 Jan 2019:

Web server system files must conform to minimum file permission requirements.

DISA Rule

SV-32938r2_rule

Vulnerability Number

V-2259

Group Title

WG300

Rule Version

WG300 A22

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Use the chmod command to set permissions on the web server system directories and files as follows.

root dir
apache root WebAdmin 771/660
/apache/cgi-bin root WebAdmin 775/775
/apache/bin root WebAdmin 550/550
/apache/config root WebAdmin 770/660
/apache/htdocs root WebAdmin 775/664
/apache/logs root WebAdmin 750/640

Check Contents

Apache directory and file permissions and ownership should be set per the following table.. The installation directories may vary from one installation to the next. If used, the WebAmins group should contain only accounts of persons authorized to manage the web server configuration, otherwise the root group should own all Apache files and directories.

Note: This check also applies to any other directory where CGI scripts are located. There may be additional directories based the local implementation, and permissions should apply to directories of similar content. Ex. all web content directories should follow the permissions for /htdocs.

If the files and directories are not set to the following permissions or more restrictive, this is a finding.

To locate the ServerRoot directory enter the following command.
grep ^ ServerRoot /usr/local/apache2/conf/httpd.conf

/Server
root dir
apache root WebAdmin 771/660

/apache/cgi-bin root WebAdmin 775/775
/apache/bin root WebAdmin 550/550
/apache/config root WebAdmin 770/660
/apache/htdocs root WebAdmin 775/664
/apache/logs root WebAdmin 750/640

NOTE: The permissions are noted as directories / files.

Vulnerability Number

V-2259

Documentable

False

Rule Version

WG300 A22

Severity Override Guidance

Apache directory and file permissions and ownership should be set per the following table.. The installation directories may vary from one installation to the next. If used, the WebAmins group should contain only accounts of persons authorized to manage the web server configuration, otherwise the root group should own all Apache files and directories.

Note: This check also applies to any other directory where CGI scripts are located. There may be additional directories based the local implementation, and permissions should apply to directories of similar content. Ex. all web content directories should follow the permissions for /htdocs.

If the files and directories are not set to the following permissions or more restrictive, this is a finding.

To locate the ServerRoot directory enter the following command.
grep ^ ServerRoot /usr/local/apache2/conf/httpd.conf

/Server
root dir
apache root WebAdmin 771/660

/apache/cgi-bin root WebAdmin 775/775
/apache/bin root WebAdmin 550/550
/apache/config root WebAdmin 770/660
/apache/htdocs root WebAdmin 775/664
/apache/logs root WebAdmin 750/640

NOTE: The permissions are noted as directories / files.

Check Content Reference

M

Responsibility

Web Administrator

Target Key

158

Comments