Directory indexing must be disabled on directories not containing index files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13735	WA000-WWA058 A22	SV-32755r1_rule	ECSC-1	Medium

Description
Directory options directives are directives that can be applied to further restrict access to file and directories. If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory which is not acceptable.

STIG	Date
APACHE Server 2.0 for Unix	2015-08-28

Details

Check Text ( C-33617r1_chk )
To view the Indexes value enter the following command: grep "Indexes" /usr/local/apache2/conf/httpd.conf. Review all uncommented Options statements for the following value: -Indexes If the value is found on the Options statement, and it does not have a preceding ‘-‘, this is a finding. Notes: - If the value does NOT exist, this is a finding. - If all enabled Options statement are set to None this is not a finding.

Check Text ( C-33617r1_chk )

To view the Indexes value enter the following command:

grep "Indexes" /usr/local/apache2/conf/httpd.conf.

Review all uncommented Options statements for the following value: -Indexes

If the value is found on the Options statement, and it does not have a preceding ‘-‘, this is a finding.

Notes:
- If the value does NOT exist, this is a finding.
- If all enabled Options statement are set to None this is not a finding.

Fix Text (F-29248r1_fix)
Edit the httpd.conf file and add an "-" to the Indexes setting, or set the options directive to None.