3.11 Ensure Group Write Access for the Apache Directories and Files Is Properly Restricted

Information

Group permissions on Apache directories should generally be r-x and file permissions should be similar except not executable if executable is not appropriate. This applies to all of the Apache software directories and files installed with the possible exception of the web document root $DOCROOT defined by Apache DocumentRoot and defaults to $APACHE_PREFIX/htdocs. The directories and files in the web document root may have a designated web development group with write access to allow web content to be updated.

Rationale:

Restricting write permissions on the Apache files and directories can help mitigate attacks that modify web content to provide unauthorized access, or to attack web clients.

Solution

Perform the following to remove group write access on the $APACHE_PREFIX directories.

find -L $APACHE_PREFIX ! -type l -perm /o=w -exec chmod o-w {}

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 50548240c0496452723a84a970879896a3bb035b9ce6d07c5c560c32c346071b