2.5 Ensure the Autoindex Module Is Disabled

Information

The Apache 'mod_autoindex' module automatically generates a web page listing the contents of directories on the server, typically used so an 'index.html' does not have to be generated.

Rationale:

Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed.

Solution

Perform either one of the following to disable the 'mod_autoindex' module:

1. For source builds with static modules, run the Apache './configure' script with the '--disable-autoindex configure' script options.

$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure -disable-autoindex

2. For dynamically loaded modules, comment out or remove the 'LoadModule' directive for the 'mod_autoindex' module from the 'httpd.conf' file.

## LoadModule autoindex_module modules/mod_autoindex.so

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18, CSCv7|5.1

Plugin: Unix

Control ID: 0e1e5d2633e198044abad5ba53622846ac036da59aaa32e4555eecfcc5d7c20c