Disable Autoindex Module

[JJediny]

Draft CIS Benchmark 1.1.11

Description

The nginx processes requests ending with the slash character (‘/’) and produces a directory listing. Usually a request is passed to the ngx\_http\_autoindex\_module module when the ngx\_http\_index\_module module cannot find an index file.

Rationale

Automated directory listings should not be enabled as it will also reveal information helpful to an attacker such as naming conventions and directory paths. Directory listings may also reveal files that were not intended to be revealed.

Remediation

Perform the following to implement the recommended state: 1. Search the NGINX configuration files (nginx.conf and any included configuration files) to find autoindex directives. grep -i '^\s*autoindex\s+' $NGINX_PREFIX/nginx.conf grep -i '^\s*autoindex\s+' $NGINX_PREFIX/conf.d/* 2. Set the value for all autoindex directives to off or remove those directives.

Audit

Perform the following to determine if the recommended state is implemented: 1. Search the NGINX configuration files (nginx.conf and any included configuration files) to find any autoindex directives: grep -i '^\s*autoindex\s+' $NGINX_PREFIX/nginx.conf grep -i '^\s*autoindex\s+' $NGINX_PREFIX/conf.d/* 2. Ensure there are no autoindex directives present or they values are set to off for each founded directive.