Remote OS Available
Security Metrics may claim that the ability for an attacker to determine what OS is running on your server may embolden or give them specific knowledge about how to best attack your server.
ClearCenter disagrees. Knowledge of a server's OS can give an attacker and advantage if the underlying OS is prone to exploits or specific attacks. On the other side of this issues however is the fact that in some cases it can also be a deterrent.
Additionally, any competent hacker will be able to derive specifics about an OS through other means and testing against the same web server through other means.
ClearCenter response
Short response
This issue does not present a tangible risk to the running system.
Long response
Obfuscation of the underlying Operating System is not a requirement of any known compliance directive. This issue does not present a significant risk and speculates that knowing the OS will embolden and not drive away a potential threat. It is our assumption as well that knowledge that the underlying operating system such as ClearOS which is running as a well tested and frequently updated system which may also contain subsystems designed with Cloud notification of compromises and service outages will discourage hackers and hacking attempts.
Resolution
If you want to remove the OS and version reported by your Apache Web Server, perform the following:
First, establish a baseline by looking at your own headers:
curl --head localhost
Next, modify the /etc/httpd/conf/httpd.conf file and change the following two lines:
ServerSignature On Server Tokens OS
to:
ServerSignature Off Server Tokens Prod
(optional) … and while you are at it, close down php from revealing its version as well by modifying /etc/php.ini and changing:
expose_php = On
to this:
expose_php = Off
Restart the web service:
service httpd restart
Lastly, re-examine the reporting service:
curl --head localhost