Story (Required)

Use the following guidelines for securing Apache access control:

• Deny Access to OS Root Directory:

The Apache Directory directive allows for directory-specific configuration of access controls and many other features and options. One important usage is to create a default deny policy that does not allow access to Operating system directories and files, except for those specifically allowed. This is done by denying access to the OS root directory.

The default access feature is an aspect of Apache that can be misunderstood. Unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can and will serve it to clients. Having a default deny is a predominate security principal that helps prevent the unintended access. In this case, you can do this by denying access to the OS root directory using either of two methods but not both:

1. 1. Using the Apache Deny directive along with an Order directive.
   2. Using the Apache Require directive.

Background (Required)

Refer to the Epic description.

Out of scope

Any previous counter measures.

Approach (Required)

- Discuss this issue in the bug triage or cabal.

Dependencies

NA

Acceptance Criteria (Mandatory)

• Bring this issue to the bug triage call and take a decision on the counter measure.
• If further discussion is needed, bring this issue to the cabal.

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met