8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists'

Information

In previous recommendations, we have removed default content such as the Apache manuals and default CGI programs. However, if you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server.

Rationale:

To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like [http://example.com/icons/apache_pb2.png](http://example.com/icons/apache_pb2.png) may tell the attacker that the server is Apache 2.2. Many icons are used primarily for auto indexing, which is recommended to be disabled.

Solution

Perform either of the following to implement the recommended state:

1. The default source build places the auto-index and icon configurations in the 'extra/httpd-autoindex.conf' file, so it can be disabled by leaving the include line commented out in the main 'httpd.conf' file, as shown below.

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

2. Alternatively, the icon 'alias' directive and the directory access control configuration can be commented out as shown:

# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
#Alias /icons/ '/var/www/icons/'

#
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order allow,deny
# Allow from all
#

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|18.9, CSCv7|13.2

Plugin: Unix

Control ID: 3aac7f909a09a0f4f3f3f073622613421b24e7508e1e06ce49978650f720af5a