5.2 Ensure Options for the Web Root Directory Are Restricted

Information

The Apache 'Options' directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation.

Refer to the Apache 2.2 documentation for details
[http://httpd.apache.org/docs/2.2/mod/core.html#options](http://httpd.apache.org/docs/2.2/mod/core.html#options).

Rationale:

The 'Options' directive at the web root or document root level should be restricted to the minimal options required. A setting of 'None' is highly recommended; however, at this level, content negotiation may be needed if multiple languages are supported. No other options should be enabled.

Solution

Perform the following to implement the recommended state:
1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find the document root '<Directory>' element.
2. Add or modify any existing 'Options' directive to have a value of 'None' or 'Multiviews', if multiviews are needed.

. . .
Options None
. . .

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18, CSCv7|5.1

Plugin: Unix

Control ID: d3aad74b4d350f0387b85443a85352a7c0642a9c47c685c3b0832c6d9f663207