Nagios: Listable directories

[Nuggel1234]

Hello,

we get scanned by our security team.
The following was found on our Nagios XI 5.8 Server:

Severity: Low
Vulnerability ID: q086445
Details:
Listable Directories
/icons/
Port: 443/tcp
Generic Vulnerability Description:
The Web server has some listable directories. Very sensitive information can be obtained from directory listings.
A remote user may exploit this vulnerability to obtain very sensitive information on the host. The information obtained may assist in further attacks against the host.


How can we fix this?
Thank you

[kfanselow]

Hi Nuggel1234,

The directory browsing capability is a function of the webserver installed on your system. In most cases, if you are using one of our images or the default install, the webserver is going to be Apache. While the configuration on your system may vary, often the /icons exposure is due to an entry in the autoindex.conf file in the configuration directory and the solution is as simple as commenting the lines out.

For example, CentOS 7.9 with a default install edit the following file:

Code: Select all

 /etc/httpd/conf.d/autoindex.conf 

And comment out the following lines with # signs.

Code: Select all

<Directory "/usr/share/httpd/icons">
    Options Indexes MultiViews FollowSymlinks
    AllowOverride None
    Require all granted
</Directory> 

So it looks like this:

Code: Select all

#<Directory "/usr/share/httpd/icons">
#    Options Indexes MultiViews FollowSymlinks
#    AllowOverride None
#    Require all granted
#</Directory>

Then restart the server:

Code: Select all

systemctl restart httpd.service

And that should be all there is to it -- good luck.

Thanks and Best Regards,
Keith