Title

The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials. (Cat II impact)

Discussion

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Any documentation, sample code, example applications, and tutorials must be removed from a production web server. To make certain that the documentation and code are not installed or uninstalled completely; the web server must offer an option as part of the installation process to exclude these packages or to uninstall the packages if necessary.

Check Content

Review the web server documentation and deployment configuration to determine if the web server contains documentation, sample code, example applications, or tutorials. Verify the web server install process also offers an option to exclude these elements from installation and provides an uninstall option for their removal. If web server documentation, sample code, example applications, or tutorials are installed or the web server install process does not offer an option to exclude these elements from installation, this is a finding.

Fix Text

Use the web server uninstall facility or manually remove any documentation, sample code, example applications, and tutorials.

Additional Identifiers

Rule ID: SV-206377r960963_rule

Vulnerability ID: V-206377

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.