Details
The Apache ‘mod_status’ module provides current server performance statistics.
Rationale:
While having server performance status information available as a web page may be convenient, it’s recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files (e.g., ‘.htaccess’). This may have security-related ramifications.
Solution
Perform either one of the following to disable the ‘mod_status’ module:
1. For source builds with static modules, run the Apache ‘./configure’ script with the ‘–disable-status configure’ script options.
$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure –disable-status
2. For dynamically loaded modules, comment out or remove the ‘LoadModule’ directive for the ‘mod_status’ module from the ‘httpd.conf’ file.
##LoadModule status_module modules/mod_status.so
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.