[test:HTTP-6660 warns that TraceEnable should be set to off, even though it is already off

[lwt-pressy]

Describe the bug
TraceEnable is set to "Off" and I would expect no warning

Version

• Distribution [e.g. Ubuntu 18.04] Debian GNU/Linux 12 (bookworm)
• Lynis version [e.g. 2.7.0] Lynis 3.1.2

Expected behavior
no warning

Output
If applicable, add output that you get from the tool or the related section of lynis.log

2024-09-27 09:34:08 Result: found TraceEnable setting set to 'Off' in /etc/apache2/conf-available/security.conf
2024-09-27 09:34:08 Suggestion: Consider setting 'TraceEnable Off' in /etc/apache2/conf-available/security.conf [test:HTTP-6660] [details:Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only.] [solution:-]

Additional context
Add any other context about the problem here.

[mboelen]

Can you show your relevant Apache configuration?

[lwt-pressy]

file also attached security.txt
`

cat security.conf

Disable access to the entire file system except for the directories that

are explicitly allowed later.

This currently breaks the configurations that come with some web application

Debian packages.

#

AllowOverride None

Require all denied

#

Changing the following options will not really affect the security of the

server, but might make attacks slightly more difficult in some cases.

ServerTokens

This directive configures what you return as the Server HTTP response

Header. The default is 'Full' which sends information about the OS-Type

and compiled in modules.

Set to one of: Full | OS | Minimal | Minor | Major | Prod

where Full conveys the most information, and Prod the least.

#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full

Optionally add a line containing the server version and virtual host

name to server-generated pages (internal error documents, FTP directory

listings, mod_status and mod_info output etc., but not CGI generated

documents or custom error documents).

Set to "EMail" to also include a mailto: link to the ServerAdmin.

Set to one of: On | Off | EMail

#ServerSignature Off
#ServerSignature On

Allow TRACE method

Set to "extended" to also reflect the request body (only for testing and

diagnostic purposes).

Set to one of: On | Off | extended

TraceEnable Off
#TraceEnable On

Forbid access to version control directories

If you use version control systems in your document root, you should

probably deny access to their directories. For example, for subversion:

#<DirectoryMatch "/.svn">

Require all denied

#

Setting this header will prevent MSIE from interpreting files as something

else than declared by the content type in the HTTP headers.

Requires mod_headers to be enabled.

#Header set X-Content-Type-Options: "nosniff"

Setting this header will prevent other sites from embedding pages from this

site as frames. This defends against clickjacking attacks.

Requires mod_headers to be enabled.

#Header set X-Frame-Options: "sameorigin"

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

`

in the normal output I just found, that could be related

/etc/apache2/sites-include/security.conf [ NOT FOUND ]
/etc/apache2/sites-include/security2.conf [ NOT FOUND ]
/usr/sbin/lynis: 326: [: xoff: unexpected operator
/etc/apache2/conf-enabled/security.conf [ SUGGESTION ]

[lwt-pressy]

sorry for the format. I also attached the file. Are more config files needed?

[teoberi]

Maybe related to:
#1536 (comment)

[lwt-pressy]

yes, if I temporary switch from dash to bash in /etc/sh everything works fine. Seems like bashism.

[teoberi]

Check with patch above.

[RZR7332]

I am seeing this on Ubuntu 24.04 as well, TraceEnable is set to Off.

Lynis also prints the line "/usr/sbin/lynis: 326: [: xoff: unexpected operator" three times during the Apache scan, not sure if this is related.

[RZR7332]

Maybe related to: #1536 (comment)

I can confirm the code changes in this PR resolve this.