8.4 Ensure ETag Response Header Fields Do Not Include Inodes

Information

The FileETag directive configures the file attributes that are used to create the ETag (entity tag) response header field when the document is based on a static file. The ETag value is used in cache management to save network bandwidth. The value returned may be based on combinations of the file inode, the modification time, and the file size.

Rationale:

When the FileETag is configured to include the file inode number, remote attackers may be able to discern the inode number from returned values. The inode is considered sensitive information, as it could be useful in assisting in other attacks.

Solution

Perform the following to implement the recommended state:
Remove all instances of the FileETag directive. Alternatively, add or modify the FileETag directive in the server and each virtual host configuration to have either the value None or MTime Size.

Default Value:

The default value is MTime Size.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-8, CSCv7|7.4, CSCv7|7.7

Plugin: Unix

Control ID: 975b02a192a1c5d925e9942ae343f64bce3befa3f589d2e544fb9efaf4c5488c