8.3 Ensure All Default Apache Content Is Removed - 'httpd.conf Include conf/extra/httpd-autoindex.conf does not exists'

Information

In previous recommendations, we have removed default content such as the Apache manuals and default CGI programs. However, if you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server.

Rationale:

To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like http://example.com/icons/apache_pb2.png may tell the attacker that the server is Apache 2.4. Many icons are used primarily for auto indexing, which is also recommended to be disabled.

Solution

Perform either of the following to implement the recommended state:

The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conffile as shown below.

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

Alternatively, the icon alias directive and the directory access control configuration can be commented out as shown if present:

# We include the /icons/ alias for FancyIndexed directory listings. If
# you do not use FancyIndexing, you may comment this out.
#
#Alias /icons/ "/var/www/icons/"
#<Directory "/var/www/icons">
# Options Indexes MultiViews FollowSymLinks
# AllowOverride None
# Order allow,deny
# Allow from all
#</Directory>

Default Value:

The default source build does not enable access to the Apache icons.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|13.2

Plugin: Unix

Control ID: 63d4520629bbdad1f4d3a7829ae7c260430b42e6ec6329af43b4a725091660dd