STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to APACHE 2.2 Site for UNIX Security Technical Implementation Guide

V-2227

CAT I (High)

Symbolic links must not be used in the web content directory tree.

Rule ID

SV-30576r1_rule

STIG

APACHE 2.2 Site for UNIX Security Technical Implementation Guide

Version

V1R11

CCIs

None

Discussion

A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory.

Check Content

Locate the directories containing the web content, (i.e., /usr/local/apache/htdocs). 

Use ls –al. 

An entry, such as the following, would indicate the presence and use of symbolic links:

lr-xr—r--  4000 wwwusr  wwwgrp	2345	Apr 15	  data  -> /usr/local/apache/htdocs

Such a result found in a web document directory is a finding. Additional Apache configuration check in the httpd.conf file:

<Directory /[website root dir]>
    Options FollowSymLinks
    AllowOverride None
</Directory>

The above configuration is incorrect and is a finding. The correct configuration is:

<Directory /[website root dir]>
    Options SymLinksIfOwnerMatch
    AllowOverride None
</Directory>

Finally, the target file or directory must be owned by the same owner as the link, which should be a privileged account with access to the web content.

Fix Text

Disable symbolic links.