2.1.2 Ensure HTTP WebDAV module is not installed

Information

The http_dav_module enables HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) as defined by RFC 4918. This enables file-based operations on your web server, such as the ability to create, delete, change and move files on your server. Most modern architectures have replaced this functionality with cloud-based object storage, in which case the module should not be installed.

Rationale:

WebDAV functionality opens up an unnecessary path for exploiting your web server. Through misconfigurations of WebDAV operations, an attacker may be able to access and manipulate files on the server.

Solution

To remove the http_dav_module, recompile nginx from source without the --with-http_dav_module flag.

Default Value:

The HTTP WebDAV module is not installed by default when installing from source. It does come by default when installed using dnf.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, 800-53|CM-7(1), CSCv7|2.8

Plugin: Unix

Control ID: d106b79f8f91051b720a26f19d927caa21010bf2af05c08b1e566b4bfb967476