id: file-disable-http-trace-method

info:
  name: Disable Apache2 HTTP TRACE Method
  author: pussycat0x
  severity: high
  description: |
    The HTTP TRACE method should be disabled to prevent Cross-Site Tracing (XST) attacks.
  remediation: |
    Add 'TraceEnable Off' in the Apache configuration file and restart the service.
  reference:
    - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
  metadata:
    verified: true
  tags: audit,config,file,apache,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<Directory"
          - "<FilesMatch"
        condition: and

      - type: word
        words:
          - "TraceEnable On"
          - "<IfModule mod_core.c>"
        condition: and
        negative: true
# digest: 4a0a004730450221008c842e49c2a92d3ba5eea4686c3825c57fff34411e2aab1055eae3598efbac5e022027fbc59986fc1a022bcd7a05bca6ccef29c069315c23320aa9c52127eedfeff5:922c64590222798bb761d5b6d8e72950