2.8 Ensure the Info Module Is Disabled

Information

The Apache mod_info module provides information on the server configuration via access to a /server-info URL location.

Rationale:

While having server configuration information available as a web page may be convenient it's recommended that this module NOT be enabled. Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc.

Solution

Perform either one of the following to disable the mod_info module:

For source builds with static modules, run the Apache ./configure script without including the mod_info in the --enable-modules= configure script options.

$ cd $DOWNLOAD_HTTPD
$ ./configure

For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file.

##LoadModule info_module modules/mod_info.so

Default Value:

The mod_info module is not enabled with a default source build.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: c43d08469f851dfce3699a8a1fcf2c0246fd6d41b0a2420f26df3bfc976b0ebf