2.1.4 Ensure the autoindex module is disabled

Information

The autoindex module processes requests ending with the slash character. This feature enables directory listing, which could be useful in attacker reconnaissance, so it should be disabled.

Rationale:

Automated directory listings may reveal information helpful to an attacker, such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed.

Solution

Perform the following to disable the autoindex module:

Search the NGINX configuration files (nginx.conf and any included configuration files) to find autoindex directives.

egrep -i '^s*autoindexs+' /etc/nginx/nginx.conf
egrep -i '^s*autoindexs+' /etc/nginx/conf.d/*

Set the value for all autoindex directives to off, or remove those directives.

Default Value:

This module is not enabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, 800-53|CM-7(1), CSCv7|2.8

Plugin: Unix

Control ID: 450c34443205ef0c155404cd63d51c8a5a4a5fe6a23b006266b9637c9a552b8f