2.8 Ensure the Info Module Is Disabled

Information

The Apache 'mod_info' module provides information on the server configuration via access to a '/server-info' URL location.

Rationale:

Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory '.htaccess' files. This can leak sensitive information, such as system paths, usernames/passwords, and database names, from the configuration directives of other Apache modules.

Solution

Perform either one of the following to disable the 'mod_info' module:

1. For source builds with static modules, run the Apache './configure' script without including 'mod_info' in the '--enable-modules= configure' script options.

$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure

2. For dynamically loaded modules, comment out or remove the 'LoadModule' directive for the 'mod_info' module from the 'httpd.conf' file.

##LoadModule info_module modules/mod_info.so

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: 761f5618628c236ce52f70cce5c9efb0e96037814d5f34c5b4ba4912150faeb8