The Apache web server must have resource mappings set to disable the serving of certain file types.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-214283	AS24-U2-000320	SV-214283r612241_rule		Medium

Description
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. The web server must only allow hosted application file types to be served to a user, and all other types must be disabled.

Description

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. The web server must only allow hosted application file types to be served to a user, and all other types must be disabled.

STIG	Date
Apache Server 2.4 UNIX Site Security Technical Implementation Guide	2020-12-10

Details

Check Text ( C-15496r277190_chk )
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V \| egrep -i 'httpd_root\|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" If "Action" or "AddHandler" exist and they configure .exe, .dll, .com, .bat, or .csh, or any other shell as a viewer for documents, this is a finding. If this is not documented and approved by the Information System Security Officer (ISSO), this is a finding.

Check Text ( C-15496r277190_chk )

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

If "Action" or "AddHandler" exist and they configure .exe, .dll, .com, .bat, or .csh, or any other shell as a viewer for documents, this is a finding.

If this is not documented and approved by the Information System Security Officer (ISSO), this is a finding.

Fix Text (F-15494r277191_fix)
Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V \| egrep -i 'httpd_root\|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Disable MIME types for .exe, .dll, .com, .bat, and .csh programs. If "Action" or "AddHandler" exist and they configure .exe, .dll, .com, .bat, or .csh, remove those references. Restart Apache: apachectl restart Ensure this process is documented and approved by the ISSO.

Fix Text (F-15494r277191_fix)

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file:

# httpd -V | egrep -i 'httpd_root|server_config_file'
-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

Disable MIME types for .exe, .dll, .com, .bat, and .csh programs.

If "Action" or "AddHandler" exist and they configure .exe, .dll, .com, .bat, or .csh, remove those references.

Restart Apache: apachectl restart

Ensure this process is documented and approved by the ISSO.