The ”IncludesNOEXEC” directive is not enabled on any directory that maintains Server Side Includes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13733 | WA000-WWA054 | SV-14343r1_rule | High |
| Description |
|---|
| Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. The "IncludesNOEXEC" option allows Server-side includes, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-03-22 |
Details
| Check Text ( C-10985r1_chk ) |
|---|
| To view the Options value enter the following command: grep "Options" /usr/local/apache2/conf/httpd.conf Review all uncommented Options statements for the following values: +IncludesNoExec, -IncludesNoExec, or -Includes If these values don’t exist this is a finding. Note: if the enabled Options statement is set to “None” this check is N/A. |
| Fix Text (F-13181r1_fix) |
|---|
| Edit the httpd.conf file and add one of the following to the enabled Options directive +IncludesNoExec, -IncludesNoExec, or -Includes. Remove the ‘Includes’ or ‘+Includes’ setting from the options statement. |