UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Symbolic links must not be used in the web content directory tree.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2227 WG360 A22 SV-30576r1_rule High
Description
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.
STIG Date
APACHE 2.2 Site for UNIX Security Technical Implementation Guide 2018-07-06

Details

Check Text ( C-31108r1_chk )
Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs).

Use ls –al.

An entry, such as the following, would indicate the presence and use of symbolic links:

lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs

Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file:


Options FollowSymLinks
AllowOverride None


The above configuration is incorrect and is a finding. The correct configuration is:


Options SymLinksIfOwnerMatch
AllowOverride None


Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.
Fix Text (F-26783r1_fix)
Disable symbolic links.