TraceEnable Off

[nealdxmhost]

I am in the middle of TRYING to make my system PCI compliant for one of my customers, he is using the McAfee security service to check things and his site itself appears to be secure (he is on a dedicated IP and he has his own SSL cert) I was reading the McAfee KB etc.... and the only thing I could locate was this:

For Apache web servers >= 1.3.34/2.0.55 add the following directive to the global configuration:
TraceEnable Off

Restart Apache for configuration changes to take effect. To test your changes, use telnet to craft a request similar to the following (NOTE: This example shows TRACE method disabled in the response):

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: localhost
X-Header: Server will return a 403 if TRACE Method is disabled.

HTTP/1.1 403 Forbidden
Date: Sun, 12 Oct 2008 02:04:24 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 276
Connection: close

You should see a 403 response in the header. If you have the ErrorDocument directive set to use a custom error page for a 403, you will see a 302 response.

I know it is probably a DUMB question for the more seasoned types here, however I am stumped as to what file I need to put TraceEnable Off into and where in same file it is supposed to go.

Thanks in advance guys!

Neal

 

[nobaloney]

I'm guessing anywhere near the top of the main httpd.conf file. Be sure to restart httpd afterwards.

Jeff

 

[nealdxmhost]

I'm guessing anywhere near the top of the main httpd.conf file. Be sure to restart httpd afterwards.

Jeff

I will give that a whirl and see what happens while I cross my fingers

 

[nealdxmhost]

The edit seemed to work in that it did not break apache LOL

Now I just need to run the test again to see where I am at in terms of the PCI vulnerability thing