Details
The goal is to completely control the web user’s experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end.
Enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the Apache web server’s directory structure by locating directories without default pages. In the scenario, the Apache web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Determine the location of the ‘HTTPD_ROOT’ directory and the ‘httpd.conf’ file:
# httpd -V | egrep -i ‘httpd_root|server_config_file’
-D HTTPD_ROOT=’/etc/httpd’
-D SERVER_CONFIG_FILE=’conf/httpd.conf’
Add a default document to the applicable directories.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.
References
- 800-53|SI-11a.
- CAT|II
- CCI|CCI-001312
- Rule-ID|SV-214292r612241_rule
- STIG-ID|AS24-U2-000620
- STIG-Legacy|SV-102891
- STIG-Legacy|V-92803
- Vuln-ID|V-214292