4.2 Ensure Appropriate Access to Web Content Is Allowed

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In order to serve Web content, either the Apache Allow directive or the Require directive will need to be used to allow for appropriate access to directories, locations and virtual hosts that contain web content.

Rationale:

Either the Allow or Require directives may be used within a directory, a location or other context to allow appropriate access. Access may be allowed to all, or to specific networks, or hosts, or users as appropriate. The Allow/Deny/Order directives are deprecated and should be replaced by the Require directive. It is also recommended that either the Allow directive or the Require directive be used, but not both in the same context.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the following to implement the recommended state:

Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> and <Location> elements. There should be one for the document root and any special purpose directories or locations. There are likely to be other access control directives in other contexts, such as virtual hosts or special elements like <Proxy>.

Include the appropriate Require directives, with values that are appropriate for the purposes of the directory.

The configurations below are just a few possible examples.

<Directory '/var/www/html/'>
Require ip 192.169.
</Directory>

<Directory '/var/www/html/'>
Require all granted
</Directory>

<Location /usage>
Require local
</Location>

<Location /portal>
Require valid-user
</Location>

Default Value:

The following is the default Web root directory configuration:

<Directory '/usr/local/apache2/htdocs'>

. . .

Require all granted

. . .

</Directory>

See Also

https://workbench.cisecurity.org/files/3021