3.5 Ensure the Group Is Set Correctly on Apache Directories and Files

Information

The Apache directories and files should be set to have a group Id of root, (or a root equivalent) group. This applies to all of the Apache software directories and files installed. The only expected exception is that the Apache web document root ($APACHE_PREFIX/htdocs) is likely to need a designated group to allow web content to be updated (such as webupdate) through a change management process.

Rationale:

Securing Apache files and directories will reduce the probability of unauthorized modifications to those resources.

Solution

Perform the following:
Set ownership on the $APACHE_PREFIX directories such as /usr/local/apache2:

$ chgrp -R root $APACHE_PREFIX

Default Value:

Default ownership and group is a mixture of the user:group that built the software and root:root.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: aae44855f09f1b8d616ceb49f176948bb0593647f10851f3054105bed221b9ec