Automatic directory indexing must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-26368 | WA00515 A22 | SV-33219r1_rule | - | medium |
| Description | ||||
| To identify the type of web servers and versions software installed it is common for attackers to scan for icons or special content specific to the server type and version. A simple request like http://example.com/icons/apache_pb2.png may tell the attacker that the server is Apache 2.2 as shown below. The many icons are used primary for auto indexing, which is recommended to be disabled. | ||||
| STIG | Date | |||
| APACHE 2.2 Server for UNIX Security Technical Implementation Guide | 2019-01-07 | |||
Details
Check Text (C-33219r1_chk)
Enter the following command:
/usr/local/Apache2.2/bin/httpd –M.
This will provide a list of all loaded modules. If autoindex_module is found, this is a finding.
Fix Text (F-29492r1_fix)
Edit the httpd.conf file and remove autoindex_module.