UCF STIG Viewer Logo

Lighttpd must not be configured to use mod_status.


Overview

Finding ID Version Rule ID IA Controls Severity
V-89293 VRAU-LI-000350 SV-99943r1_rule Medium
Description
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Lighttpd must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The mod_status module generates the status overview of the webserver. The information covers: uptime average throughput current throughput active connections and their state While this information is useful on a development system, production systems must not have mod_status enabled.
STIG Date
VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide 2018-10-12

Details

Check Text ( C-88985r1_chk )
At the command prompt, execute the following command:

cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/'

If the "mod_status" module is listed, this is a finding.
Fix Text (F-96035r1_fix)
Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file

Navigate to the "server.modules" section.

In the "server.modules" section, delete the "mod_status" entry.