4.3 Ensure OverRide Is Disabled for the OS Root Directory - exclude AllowOverrideList

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Apache AllowOverRide directive and the new AllowOverrideList directive allow for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. When this directive is set to All, then any directive which has the .htaccess Context is allowed in the .htaccess files.

Rationale:

While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified, then it is wise to keep the configuration out of the web server from being placed in .htaccess files.

Solution

Perform the following to implement the recommended state:

Search the Apache configuration files (httpd.conf and any included configuration files) to find a root <Directory> element.

Remove any AllowOverrideList directives found.

Add a single AllowOverride directive if there is none.

Set the value for AllowOverride to None.

<Directory />
. . .
AllowOverride None
. . .
</Directory>

Default Value:

The following is the default root directory configuration:

<Directory />

. . .

AllowOverride None

. . .

</Directory>

See Also

https://workbench.cisecurity.org/files/3021