OHS must disable the directive pointing to the directory containing the OHS manuals.
An XCCDF Rule
Description
Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.
- ID
- SV-221402r879587_rule
- Version
- OH12-1X-000156
- Severity
- Low
- References
- Updated
Remediation Templates
A Manual Procedure
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.
2. Search for a "<Directory "${PRODUCT_HOME}/manual">" directive at the OHS server configuration scope.
3. Comment out the "<Directory "${PRODUCT_HOME}/manual">" directive and any directives it contains if they exist.