5.3 Ensure Options for Other Directories Are Minimized

Information

The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation.

Rationale:

Likewise, the options for other directories and hosts needs to be restricted to the minimal options required. A setting of None is recommended, however it is recognized that other options may be needed in some cases:

Multiviews - Is appropriate if content negotiation is required, such as when multiple languages are supported.

ExecCGI - Is only appropriate for special directories dedicated to executable content such as a cgi-bin/ directory. That way you will know what is executed on the server. It is possible to enable CGI script execution based on file extension or permission settings, however this makes script control and management almost impossible as developers may install scripts without your knowledge. This may become a factor in a hosting environment.

FollowSymLinks & SymLinksIfOwnerMatch - The following of symbolic links is not recommended and should be disabled if possible. The usage of symbolic links opens up additional risk for possible attacks that may use inappropriate symbolic links to access content outside of the document root of the web server. Also consider that it could be combined with a vulnerability that allowed an attacker or insider to create an inappropriate link. The option SymLinksIfOwnerMatch is much safer in that the ownership must match in order for the link to be used, however keep in mind there is additional overhead created by requiring Apache to check the ownership.

Includes & IncludesNOEXEC - The IncludesNOEXEC option should only be needed when server side includes are required. The full Includes option should not be used as it also allows execution of arbitrary shell commands. See Apache Mod Include for details https://httpd.apache.org/docs/2.4/mod/mod_include.html

Indexes - The Indexes option causes automatic generation of indexes, if the default index page is missing, and should be disabled unless required.

Solution

Perform the following to implement the recommended state:

Search the Apache configuration files (httpd.conf and any included configuration files) to find all <Directory> elements.

Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above.

See Also

https://workbench.cisecurity.org/files/4548