8.4 Ensure ETag Response Header Fields Do Not Include Inodes

Information

The FileETag directive configures the file attributes that are used to create the ETag (entity tag) response header field when the document is based on a static file. The ETag value is used in cache management to save network bandwidth. The value returned may be based on combinations of the file inode, the modification time, and the file size.

Rationale:

When the FileETag is configured to include the file inode number, a remote attacker may be able to discern the inode number from returned values. The inode is considered sensitive information, as it could be useful in assisting in other attacks.

Solution

Perform the following to implement the recommended state:

Add or modify the 'FileETag' directive in the server and each virtual host configuration to have the value 'None' or 'MTime Size'.

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|18.9, CSCv7|13.2

Plugin: Unix

Control ID: 92afb65df6d9872221f5308d83567b07e991dba4ebf066e3dc9e752fe4b1d295