2.5 Ensure the Autoindex Module Is Disabled

Information

The Apache autoindex module automatically generates web page listing the contents of directories on the server, typically used so that an index.html does not have to be generated.

Rationale:

Automated directory listings should not be enabled as it will also reveal information helpful to an attacker such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed.

Solution

Perform either one of the following to disable the mod_autoindex module:

For source builds with static modules, run the Apache ./configure script with the --disable-autoindex configure script options

$ cd $DOWNLOAD_HTTPD
$ ./configure -disable-autoindex

For dynamically loaded modules, comment out or remove the LoadModule directive for mod_autoindex from the httpd.conf file.

## LoadModule autoindex_module modules/mod_autoindex.so

Default Value:

The mod_autoindex module IS enabled with a default source build.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Unix

Control ID: 964af7c26489794160a3d945ef9a0b2cf2569d8189923562ccf2ca24de4536fa