Rule ID
SV-214274r1212183_rule
Version
V3R3
CCIs
In addition to OS restrictions, access rights to files and directories can be set on a website using the web server software. That is, in addition to allowing or denying all access rights, a rule can be specified that allows or denies partial access rights. For example, users can be given read-only access rights to files to view the information but not change the files. This check verifies that the htpasswd file is only accessible by system administrators (SAs) or web managers, with the account running the web service having group permissions of read and execute. "htpasswd" is a utility used by Netscape and Apache to provide for password access to designated websites.
Locate the htpasswd file using the AuthUserFile directive by entering the following command:
cat /<path_to_file>/httpd.conf | grep -i "AuthUserFile" | awk '{print $2}'
If the above command produces any output, run the "ls -l" command on it; for example:
ls -l /etc/httpd/.htpasswd
Permissions should be: r-x r - x - - - (550)
If permissions on the password file are greater than "550", this is a finding.
Verify the owner is the SA or web manager account.
If another account has access to this file, this is a finding.Find the htpasswd file using the AuthUserFile directive:
cat /<path_to_file>/httpd.conf | grep -i "AuthUserFile" | awk '{print $2}'
Ensure the SA or web manager account owns the htpasswd file.
Ensure permissions are set to "550".