Rule ID
SV-240256r879655_rule
Version
V1R2
CCIs
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Lighttpd must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages. The mod_status module generates the status overview of the webserver. The information covers: uptime average throughput current throughput active connections and their state While this information is useful on a development system, production systems must not have mod_status enabled.
At the command prompt, execute the following command: cat /opt/vmware/etc/lighttpd/lighttpd.conf | awk '/server\.modules/,/\)/' If the "mod_status" module is listed, this is a finding.
Navigate to and open the /opt/vmware/etc/lighttpd/lighttpd.conf file Navigate to the "server.modules" section. In the "server.modules" section, delete the "mod_status" entry.