Details

The ‘PidFile’ directive sets the file path to the process ID (pid) file to which the server records the pid of the server. The pid is useful for sending a signal to the server process or checking on the health of the process.

Rationale:

If the ‘PidFile’ is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a pid file with the same name.

Solution

Perform these steps to secure the pid file:
1. Find the directory in which the ‘PidFile’ would be created. The default value is the ‘ServerRoot/logs’ directory.
2. Modify the directory if it is within the Apache ‘DocumentRoot’.
3. Change the ownership and group of the directory to be ‘root:root’.
4. Change the permissions for the directory so it is only writable by root, or the user under which apache initially starts up (default is root).

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2378

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CSCv6|18
• CSCv7|14.6

Source

• Tenable.com/audits