4.4 Ensure OverRide Is Disabled for All Directories - AllowOverrideList

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The Apache 'AllowOverride' directive and the new 'AllowOverrideList' directive allow for '.htaccess' files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an '.htaccess' file (as specified by 'AccessFileName') it needs to know which directives declared in that file can override earlier access information. When this directive is set to 'None', then '.htaccess' files are completely ignored. In this case, the server will not even attempt to read '.htaccess' files in the filesystem. When this directive is set to 'All', then any directive which has the '.htaccess' context is allowed in '.htaccess' files.

Rationale:

'.htaccess' files decentralizes access control and increases the risk of server configuration being changed inappropriately.

Solution

Perform the following to implement the recommended state:

1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find 'AllowOverride' directives.
2. Set the value for all 'AllowOverride' directives to 'None'.

. . .
AllowOverride None
. . .

3. Remove any 'AllowOverrideList' directives found.

See Also

https://workbench.cisecurity.org/files/2381