Rule ID
SV-221402r960963_rule
Version
V2R3
CCIs
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.
2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope.
3. If the directive and the directives it contains exists and is not commented out, this is a finding.1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.
2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope.
3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.