STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to APACHE 2.2 Server for UNIX Security Technical Implementation Guide

V-26393

CAT II (Medium)

The ability to override the access configuration for the OS root directory must be disabled.

Rule ID

SV-33232r1_rule

STIG

APACHE 2.2 Server for UNIX Security Technical Implementation Guide

Version

V1R11

CCIs

None

Discussion

The Apache OverRide directive allows for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the file system. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

Check Content

Enter the following command:

more /usr/local/Apache2.2/conf/httpd.conf.

Review the httpd.conf file and search for the following directive:

Directory 

For every root directory entry (i.e. <Directory />) ensure the following entry exists:

AllowOverride None

If the statement above is not found in the root directory statement, this is a finding. 

If Allow directives are included in the root directory statement, this is a finding.

If the root directory statement is not listed at all, this is a finding.

Fix Text

Edit the httpd.conf file and add or set the value of AllowOverride to "None".