Details

The PidFile directive sets the file path to the process ID file to which the server records the process id of the server, which is useful for sending a signal to the server process or for checking on the health of the process.

Rationale:

If the PidFile is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a PID file with the same name.

Solution

Find the directory in which the PidFile would be created. The default value is the ServerRoot/logs directory.

Modify the directory if the PidFile is in a directory within the Apache ‘DocumentRoot’.

Change the ownership and group to be root:root, if not already.

Change the permissions so that the directory is only writable by root, or the user under which Apache initially starts up (default is root).

Default Value:

The default process ID file is logs/httpd.pid.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3021

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CSCv6|18
• CSCv7|14.6

Source

• Tenable.com/audits