Web server status module must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-26294 | WA00510 A22 | SV-33218r1_rule | - | medium |
| Description | ||||
| The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications. | ||||
| STIG | Date | |||
| APACHE 2.2 Server for UNIX Security Technical Implementation Guide | 2019-01-07 | |||
Details
Check Text (C-33218r1_chk)
Enter the following command:
/usr/local/Apache2.2/bin/httpd –M.
This will provide a list of all loaded modules. If any of the following modules are found, this is a finding.
info_module
status_module
Fix Text (F-29395r1_fix)
Edit the httpd.conf file and disable info_module and status_module.