Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The ”IncludesNOEXEC” directive is not enabled on any directory that maintains Server Side Includes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13733 | WA000-WWA054 | SV-14343r1_rule | High |
| Description |
|---|
| Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The "IncludesNOEXEC" option allows Server-side includes, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-03-22 |
Details
| Check Text ( C-10985r1_chk ) |
|---|
| To view the Options value enter the following command: grep "Options" /usr/local/apache2/conf/httpd.conf Review all uncommented Options statements for the following values: +IncludesNoExec, -IncludesNoExec, or -Includes If these values don’t exist this is a finding. Note: if the enabled Options statement is set to “None” this check is N/A. |
| Fix Text (F-13181r1_fix) |
|---|
| Edit the httpd.conf file and add one of the following to the enabled Options directive +IncludesNoExec, -IncludesNoExec, or -Includes. Remove the ‘Includes’ or ‘+Includes’ setting from the options statement. |