Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256958 | APWS-AT-000620 | SV-256958r903555_rule | Medium |
Description |
---|
It is important that Automation Controller NGINX web server display a default hosted application web paged and not a directory listing when a requested web page cannot be found, because the web server will be vulnerable to intrusion. For this reason, access to directory listings must be disabled. If a user or attacker have access to the website directory listing, they may have access to all the files in that folder. Additionally, they may be privy to specific details regarding the web server. |
STIG | Date |
---|---|
Red Hat Ansible Automation Controller Web Server Security Technical Implementation Guide | 2023-03-15 |
Check Text ( C-60633r903555_chk ) |
---|
For each Automation Controller NGINX web server, a system administrator must view to see whether autoindex is turned on or off (autoindex on/autoindex off): NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep -E 'autoindex\s+on' $NGINXCONF && echo "FAILED" If "FAILED" is displayed, this is a finding. |
Fix Text (F-60575r902387_fix) |
---|
As a System Administrator for each Automation Controller nginx web server host, remove any configuration that turns the autoindexing on: NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; sed -Ei -e '/autoindex\s+on/d;' $NGINXCONF To apply these changes to the running service immediately, restart the NGINX service with the following command: sudo systemctl restart nginx |