Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10902

puppetlabs-apache : Security issues on default settings

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: apache
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 5.8.0
      Puppet Version: 5.5.22
      OS Name/Version: CentOS 7

       

      By default enabled dangerous httpd settings (/etc/httpd/conf/httpd.conf):

      • "TraceEnable On".
      • Options indexes enabled by default, change to "Options -Indexes".

      The server signature is enabled by default but disabled in each virtualhost, it is dangerous.

      grep 'ServerSignature' /etc/httpd/ -R
      /etc/httpd/conf.d/25-000-default-https.conf: ServerSignature Off
      /etc/httpd/conf.d/25-000-default-http.conf: ServerSignature Off
      /etc/httpd/conf/httpd.conf:ServerSignature On

      Embed icons is enabled by default: http://example.com/icons/ , please, remove it from:

      /etc/httpd/conf.modules.d/alias.conf:Alias /icons/ "/usr/share/httpd/icons/"
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            WHK WHK
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support