Details
The Apache ‘mod_autoindex’ module automatically generates a web page listing the contents of directories on the server, typically used so an ‘index.html’ does not have to be generated.
Rationale:
Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed.
Solution
Perform either one of the following to disable the ‘mod_autoindex’ module:
1. For source builds with static modules, run the Apache ‘./configure’ script with the ‘–disable-autoindex configure’ script options.
$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure -disable-autoindex
2. For dynamically loaded modules, comment out or remove the ‘LoadModule’ directive for the ‘mod_autoindex’ module from the ‘httpd.conf’ file.
## LoadModule autoindex_module modules/mod_autoindex.so
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.