3.7 Ensure the Core Dump Directory Is Secured

Information

The 'CoreDumpDirectory' directive can be used to specify a directory which Apache attempts to switch before dumping core for debugging. The default directory is the Apache 'ServerRoot' directory. However, on Linux systems, core dumps are disabled by default. Most production environments should leave core dumps disabled. In the event that core dumps are needed, the directory needs to be writable by Apache, and it should meet the security requirements defined below in the audit and remediation sections.

Rationale:

Core dumps are snapshots of memory and may contain sensitive information that should not be accessible by other accounts on the system.

Solution

Either remove the 'CoreDumpDirectory' directive from the Apache configuration files, or make the configured directory meet the following requirements:
1. Not within the Apache web document root ('$APACHE_PREFIX/htdocs')
2. Owned by root and has a group ownership of the Apache group (as defined via the Group directive)

# chown root:apache /var/log/httpd

3. Has no read-write-search access permission for other users

# chmod o-rwx /var/log/httpd

See Also

https://workbench.cisecurity.org/files/2378