The” -Indexes” directive is not used on all data directories not containing a default index page unless the mod_autoindex module is disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13735 | WA000-WWA058 | SV-14345r1_rule | Medium |
| Description |
|---|
| Directory options directives are httpd.conf directives that can be applied to further restrict access to file and directories. If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory which is not acceptable. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-03-22 |
Details
| Check Text ( C-10988r1_chk ) |
|---|
| Locate the Apache httpd.conf file. If you cannot locate the file, you can do a search of the drive to find the location of the file. Open the httpd.conf file with an editor and search for the following directive: Then review the Options statement for the following value: Indexes If the value is found on an options statement within the Directory directive, and it does not have a "-" preceding it, this is a finding. If the value does not exist, this would be a finding unless the Options statement has the "None" option. Please be sure to check for all occurrences of the Directory directive for the presence of the Indexes value. If this enabled on any of these, this would be a finding. |
| Fix Text (F-13183r1_fix) |
|---|
| Edit the httpd.conf file and add an "-" to the Indexes setting, or set the options directive to None. |