-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[test:HTTP-6660 warns that TraceEnable should be set to off, even though it is already off #1543
Comments
Can you show your relevant Apache configuration? |
file also attached security.txt cat security.confDisable access to the entire file system except for the directories thatare explicitly allowed later.This currently breaks the configurations that come with some web applicationDebian packages.# AllowOverride NoneRequire all denied# Changing the following options will not really affect the security of theserver, but might make attacks slightly more difficult in some cases.ServerTokensThis directive configures what you return as the Server HTTP responseHeader. The default is 'Full' which sends information about the OS-Typeand compiled in modules.Set to one of: Full | OS | Minimal | Minor | Major | Prodwhere Full conveys the most information, and Prod the least.#ServerTokens Minimal Optionally add a line containing the server version and virtual hostname to server-generated pages (internal error documents, FTP directorylistings, mod_status and mod_info output etc., but not CGI generateddocuments or custom error documents).Set to "EMail" to also include a mailto: link to the ServerAdmin.Set to one of: On | Off | EMail#ServerSignature Off Allow TRACE methodSet to "extended" to also reflect the request body (only for testing anddiagnostic purposes).Set to one of: On | Off | extendedTraceEnable Off Forbid access to version control directoriesIf you use version control systems in your document root, you shouldprobably deny access to their directories. For example, for subversion:#<DirectoryMatch "/.svn"> Require all denied# Setting this header will prevent MSIE from interpreting files as somethingelse than declared by the content type in the HTTP headers.Requires mod_headers to be enabled.#Header set X-Content-Type-Options: "nosniff" Setting this header will prevent other sites from embedding pages from thissite as frames. This defends against clickjacking attacks.Requires mod_headers to be enabled.#Header set X-Frame-Options: "sameorigin" vim: syntax=apache ts=4 sw=4 sts=4 sr noet` in the normal output I just found, that could be related
|
sorry for the format. I also attached the file. Are more config files needed? |
Maybe related to: |
yes, if I temporary switch from dash to bash in /etc/sh everything works fine. Seems like bashism. |
Check with patch above. |
I am seeing this on Ubuntu 24.04 as well, TraceEnable is set to Off. Lynis also prints the line "/usr/sbin/lynis: 326: [: xoff: unexpected operator" three times during the Apache scan, not sure if this is related. |
I can confirm the code changes in this PR resolve this. |
Describe the bug
TraceEnable is set to "Off" and I would expect no warning
Version
Expected behavior
no warning
Output
If applicable, add output that you get from the tool or the related section of lynis.log
2024-09-27 09:34:08 Result: found TraceEnable setting set to 'Off' in /etc/apache2/conf-available/security.conf
2024-09-27 09:34:08 Suggestion: Consider setting 'TraceEnable Off' in /etc/apache2/conf-available/security.conf [test:HTTP-6660] [details:Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only.] [solution:-]
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: