I have set the usr/moodle_data dir permissions to 700 with apache as user and apache owner
Depending upon where/how the Moodle is hosted, you might NOT be able to correct it to satisfy what Moodle wants, but it still can be 'secure'. First, let's remember that *everything* on the web IS really risk management now-a-days. And that not everyone runs the same operating system or host with the same provider. And that not everyone installs moodle as per recommendations of moodle.org docs (your provider may have a script that you used to install).
If the data directory (moodledata) is in the servers defined 'acccess directory' for apache Moodle considers that to be un-secure. Here's a test ... using a browser, see if you can go directly to it using: http://yourserver/moodledata/. If you can, then it is in-secure. If NOT, you're ok.
As far as ownership/permissons on moodledata and folders contained there in ... yes, everything in there needs to be at least readable/writeable by the user under which apache runs. In your case, the system appears to be Linux and the user/group that Apache runs under is 'apache'.
I take it you've 2.7 (you've not mentioned what version) and that you've seen/read over:
https://docs.moodle.org/27/en/Security
'spirit of sharing', Ken
Ken thank you for your reply, Yes we are self hosting this moodle site, it is running moodle 2.6.2. This site is running on Cent OS 6.5. if any of that helps out?
Yes, it does ... now specific responses are possible as per OS (CentOS 6.5 for those exploring) ... Assuming a typical install of the operating system, apache, php, and mysql ...
Apache's "typical" folders are in /var/www/ (defined in /etc/httpd/conf/httpd.conf) inside www is normally where one would place moodledata - apache:apache owner/group. Moving Moodle data there and editing the config.php file to reflect it's new location should remove that error.
You'll find other directories already present at /var/www/ (cgi-bin, icons, error, manual, and usage). For cgi-bin to be used edits to httpd.conf are necessary as well as files (normally perl) need to be uploaded there. icons - available images for directory listings. error - if you have customized error pages (like 404 not found 'guidance' for 'lost users'), manual (just what it says). manual may/may not present but it's the documentation to the installed version of apache (everything you didn't want know). usage is present only if you have webalizer installed and running).
Your moodle code folder (or the moodle code) is in /var/www/html/ (the html directory is called 'document root' - anything in there can be served out by apache)
That help? ;)
'spirit of sharing', Ken
Ken, thank you again for your insight. i have followed a set of install instructions that did talk about putting the the moodle and moodle_data folders under the /usr directory got them off the moodle install docs page.
I have tried to access the moodle_data directory like you suggested
https://mysite.com/moodle for logging in
and tried https://mysite.com/moodle_data and it gave me page not found
with the correct permissions and the the above no access to the directory , should be ok?
Please provide the link to the Moodle.org directions (maybe they need to state up front some statements for users to read).
Something to note about directions found on Moodle.org: hopefully, they declare the system for which the directions apply. Some are for Ubuntu. Some are for CentOS. There are suttle differences in the locations of things as defaults for the OS. CentOS is based on RedHat Enterprise and closely related to Fedora (the later being the community version of RH). For as long as I can remember (near 20+ years now), the RH 'family' has ALWAYS used /var/www in apache config (but maybe that's why the author of the moodle docs changed things - security by obsecurity?
However, having said that, a Linux AMP server is flexible enough so that a knowledgeable user can change the defaults to just about any daemon config to whatever they think appropriate. Such might be the case with docs on Moodle.org. Whomever wrote the docs might have thought it best to provide 'off one' type directions ... that will still work (thought to be easier/more secure?) for most users. Those directions, however, probably don't match the 1000's of web pages/blogs etc. on internet that show/tell how to.
Having said that will also state it is difficult to provide ONE set of directions for all linux distros and the differences that providers might initiate on their own (for whatever reason).
Bottom line for you ... yes, you should be ok.
Would encourage you, however, to dive a little more into the config of apache, php, and mysql ... the pieces that make up what Moodle runs under. Sooner or later that knowledge will be handy ... maybe even required.
'spirit of sharing', Ken