Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2227 | WG360 A22 | SV-30576r2_rule | ECSC-1 | High |
Description |
---|
A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory. |
STIG | Date |
---|---|
APACHE SITE 2.0 for Unix | 2011-12-12 |
Check Text ( C-31108r2_chk ) |
---|
Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs). Use ls –al. An entry, such as the following, would indicate the presence and use of symbolic links: lr-xr—r-- 4000 wwwusr wwwgrp 2345 Apr 15 data -> /usr/local/apache/htdocs Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file: Options FollowSymLinks AllowOverride None The above configuration is incorrect and is a finding. The correct configuration is: Options SymLinksIfOwnerMatch AllowOverride None Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content. |
Fix Text (F-26783r1_fix) |
---|
Disable symbolic links. |