4.4 Ensure OverRide Is Disabled for All Directories - AllowOverride

Information

The Apache AllowOverride directive and the new AllowOverrideList directive allow for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. When this directive is set to All, then any directive which has the .htaccess context is allowed in .htaccess files.

Rationale:

.htaccess files decentralizes access control and increases the risk of server configuration being changed inappropriately.

Solution

Perform the following to implement the recommended state:

Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives.

Set the value for all AllowOverride directives to None.

. . .
AllowOverride None
. . .

Remove any AllowOverrideList directives found.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c56c0a63e73f184490dfd9d4f30a4640e613ac6cbacdd4383415ecf773ee6300