The default xCAT Apache configuration shipped with Options Indexes
enabled for the /install and /tftpboot directories. This allowed
unauthenticated users to browse directory listings, disclosing the
full tree of postscripts, boot files, and (in production deployments)
potentially kickstart files with password hashes, custom scripts with
embedded credentials, and cluster topology details.
Replace Options Indexes with -Indexes in all four shipped Apache config
files (MN and SN, Apache 2.2 and 2.4 variants). Direct file access
by known path continues to work, so all provisioning workflows are
unaffected. Directory browsing for /xcat-doc is preserved as it
contains only public documentation.
Additionally, add an Apache hardening guide documenting recommended
permissions for sensitive directories under /install, network binding
best practices, and IP-based access control options.
Addresses #7450
- categorize into topics without "xCAT" in the heading
since the topics are all related to xCAT
- Alphabetize the topics to make it easier to find
- create sub directories for the topics to contain
the documentation
- broke down some of the docs to multiple files to help
ease of readability
Vinícius Ferrão
besawn
GONG Jie
robin2008
Victor Hu
Mark Gurevich
immarvin
wangxiaopeng
hu-weihua