Details
The Apache mod_status module provides current server performance statistics.
Rationale:
When mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). The mod_status module may provide an adversary with information that can be used to refine exploits that depend on measuring server load.
Solution
Perform either one of the following to disable the mod_status module:
For source builds with static modules, run the Apache ./configure script with the –disable-status configure script options.
$ cd $DOWNLOAD_HTTPD
$ ./configure –disable-status
For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file.
##LoadModule status_module modules/mod_status.so
Default Value:
The mod_status module IS enabled with a default source build.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.