AS24-U1-000270 - The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.

Information

Apache web server documentation, sample code, example applications, and tutorials may be an exploitable threat to an Apache web server because this type of code has not been evaluated and approved. A production Apache web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web content, etc.).

Any documentation, sample code, example applications, and tutorials must be removed from a production Apache web server. To ensure that the documentation and code are not installed or are uninstalled completely, the Apache web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.

Satisfies: SRG-APP-000141-WSR-000077, SRG-APP-000141-WSR-000080

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Review all pre-installed content and remove content that is not required. In particular, look for the unnecessary content that may be found in the document root directory, a configuration directory such as conf/extra directory, or as a UNIX/Linux package.

Remove the default index.html or welcome page if it is a separate package. If the default welcome page is part of the main Apache httpd package as it is on Red Hat Linux, then comment out the configuration as shown below. Removing a file such as 'welcome.conf' is not recommended as it may be replaced if the package is updated.

#
# This configuration file enables the default 'Welcome'
# page if there is no default index page present for
# the root URL. To disable the Welcome page, comment
# out all the lines below.
#
##<LocationMatch '^/+$'>
## Options -Indexes
## ErrorDocument 403 /error/noindex.html
##</LocationMatch>

Remove the Apache User Manual content or comment out configurations referencing the manual.

Example:

# yum erase httpd-manual

Remove or comment out any Server Status handler configuration:

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-status>
## SetHandler server-status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

Remove or comment out any Server Information handler configuration:

#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the '.example.com' to match your domain to enable.
#
##<Location /server-info>
## SetHandler server-info
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

Remove or comment out any other handler configuration such as perl-status:

# This will allow remote server configuration reports, with the URL of
# http://servername/perl-status
# Change the '.example.com' to match your domain to enable.
#
##<Location /perl-status>
## SetHandler perl-script
## PerlResponseHandler Apache2::Status
## Order deny,allow
## Deny from all
## Allow from .example.com
##</Location>

The default source build provides extra content available in the <'INSTALLED PATH'>/conf/extra/ directory, but the configuration of most of the extra content is commented out by default. In particular, the inclusion of conf/extra/proxyhtml.conf is not commented out in 'httpd.conf':

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
#Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

For applications developed in-house, ensure that development artifacts (sample data and scripts; unused libraries, components, debug code; or tools) are not included in the deployed software or accessible in the production environment.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Unix_Y24M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|I, CCI|CCI-000381, Rule-ID|SV-214242r960963_rule, STIG-ID|AS24-U1-000270, STIG-Legacy|SV-102733, STIG-Legacy|V-92645, Vuln-ID|V-214242

Plugin: Unix

Control ID: d1244cb16740f86606ec0ac85dc9d4a15bd3a7dde13c245252db0d376b5bbd5d