Details

In order to serve web content, the Apache ‘Allow’ directive will need to be used to allow for appropriate access to directories, locations, and virtual hosts that contain web content.

Rationale:

The ‘Allow’ directive may be used within a directory, a location, or other context to allow appropriate access. Access may be allowed to all, or to specific networks, hosts, or users as appropriate.

Solution

Perform the following to implement the recommended state:

1. Search the Apache configuration files (‘httpd.conf’ and any included configuration files) to find all ‘‘ and ‘‘ elements. There should be one for the document root and any special purpose directories or locations. There are likely to be other access control directives in other contexts, such as virtual hosts or special elements like ‘‘.
2. Add a single ‘Order’ directive and set the value to ‘deny, allow’.
3. Include the appropriate ‘Allow’ and ‘Deny’ directives, with values that are appropriate for the purposes of the directory.

The configurations below are just a few possible examples.

Order deny,allow
Deny from all
Allow from 192.169.

Order allow,deny
Allow from all

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2378https://workbench.cisecurity.org/files/2378

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CSCv6|14.4
• CSCv7|14.6

Source

• Tenable.com/audits