OS Identification
This entry from Security Metrics indicates that some risk may derived from knowing the version of the underlying operating system.
ClearCenter response
Short response
This issue does not present a tangible risk to the running system.
Long response
Knowing the server version does not present a specific risk. The argument is that it can be construed that knowledge of the type of server running will embolden a hacker into further investigation. It can also be construed that knowing the server version dissuades further investigation as this system receives timely updates.
Resolution
No action required.
Optionally, if you want to remove the OS and version reported by your Apache Web Server, perform the following:
First, establish a baseline by looking at your own headers:
curl --head localhost
Next, modify the /etc/httpd/conf/httpd.conf file and change the following two lines:
ServerSignature On Server Tokens OS
to:
ServerSignature Off Server Tokens Prod
(optional) … and while you are at it, close down php from revealing its version as well by modifying /etc/php.ini and changing:
expose_php = On
to this:
expose_php = Off
Restart the web service:
service httpd restart
Lastly, re-examine the reporting service:
curl --head localhost