Debugging and trace information, within Automation Controller NGINX web server, used to diagnose the web server must be disabled.
An XCCDF Rule
Description
<VulnDiscussion>It is important that Automation Controller NGINX web server debugging and trace information used to diagnose the web server is disabled, because debugging information can yield information about the Automation Controller NGINX webserver, like web server type, version, patches installed, plugins, modules, the hosted app’s code type. Back ends used for storage could be revealed, as well. An attacker would not need to cause an error condition to gain this information because they could reside in logs and general messages. If debugging/trace information is enabled, attackers could get the information from logs and general information, without drawing attention to themselves via an error message.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-256959r961167_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
For each Automation Controller NGINX web server, a system administrator must complete the following steps.
Verify the NGINX configuration file in use:
NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; echo $NGINXCONF