Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-41695 | SRG-APP-000141-WSR-000077 | SV-54272r3_rule | Medium |
Description |
---|
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary. |
STIG | Date |
---|---|
Web Server Security Requirements Guide | 2015-08-28 |
Check Text ( C-48092r2_chk ) |
---|
Review the web server documentation and deployment configuration to determine if the web server contains documentation, sample code, example applications, or tutorials. Verify the web server install process also offers an option to exclude these elements from installation and provides an uninstall option for their removal. If web server documentation, sample code, example applications, or tutorials are installed or the web server install process does not offer an option to exclude these elements from installation, this is a finding. |
Fix Text (F-47154r2_fix) |
---|
Use the web server uninstall facility or manually remove any documentation, sample code, example applications, and tutorials. |