3.10 Ensure the ScoreBoard File Is Secured

Information

The 'ScoreBoardFile' directive sets a file path which the server will use for interprocess communication (IPC) among the Apache processes. On most Linux platforms, shared memory will be used instead of a file in the file system, so this directive is not generally needed and does not need to be specified. However, if the directive is specified, Apache will use the configured file for IPC, so it needs to be located in a secure directory.

Rationale:

If the 'ScoreBoardFile' is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a file with the same name, and users could monitor and disrupt communication between the processes by reading and writing to the file.

Solution

Perform the following steps to secure the ScoreBoard file:
1. Check to see if the 'ScoreBoardFile' is specified in any of the Apache configuration files. If it is not present, no changes are required.
2. If the directive is present, find the directory in which the 'ScoreBoardFile' would be created. The default value is the 'ServerRoot/logs' directory.
3. Modify the directory if it is within the Apache 'DocumentRoot' or if it is on an NFS mounted file system and not a locally mounted hard drive.
4. Change the directory ownership and group to be 'root:root'.
5. Change the directory permissions so it is only writable by root or the user under which apache initially starts up (default is root).

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|18

Plugin: Unix

Control ID: 33285ec0742d40fafb6499d3e8c8c0a906ee8bac282559c72fdba5a2af3fdd58