UCF STIG Viewer Logo

The Apache web server document directory must be in a separate partition from the Apache web servers system files.


Finding ID Version Rule ID IA Controls Severity
V-92799 AS24-U2-000580 SV-102887r1_rule Medium
A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To allow a client access to system files of any type is a major security risk that is entirely avoidable. Obtaining such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by misconfiguring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.
Apache Server 2.4 UNIX Site Security Technical Implementation Guide 2019-10-03


Check Text ( C-92105r1_chk )
Run the following command:

grep "DocumentRoot"<'INSTALL PATH'>/conf/httpd.conf

Note each location following the "DocumentRoot" string. This is the configured path to the document root directory(s).

Use the command df -k to view each document root's partition setup.

Compare that against the results for the operating system file systems and against the partition for the web server system files, which is the result of the command:

df -k <'INSTALL PATH'>/bin

If the document root path is on the same partition as the web server system files or the operating system file systems, this is a finding.
Fix Text (F-99043r1_fix)
Move the web document (normally "htdocs") directory to a separate partition other than the operating system root partition and the web server’s system files.