3.9 Ensure the Pid File Is Secured

Information

The 'PidFile' directive sets the file path to the process ID (pid) file to which the server records the pid of the server. The pid is useful for sending a signal to the server process or checking on the health of the process.

Rationale:

If the 'PidFile' is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a pid file with the same name.

Solution

Perform these steps to secure the pid file:
1. Find the directory in which the 'PidFile' would be created. The default value is the 'ServerRoot/logs' directory.
2. Modify the directory if it is within the Apache 'DocumentRoot'.
3. Change the ownership and group of the directory to be 'root:root'.
4. Change the permissions for the directory so it is only writable by root, or the user under which apache initially starts up (default is root).

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|18, CSCv7|14.6

Plugin: Unix

Control ID: 0f23410b82ff7ab82e9483b8824e89a6a06f3e199370540d7fe174eddd14da5a