3.9 Ensure the Pid File Is Secured - 'PidFile directory'

Information

The PidFile directive sets the file path to the process ID file to which the server records the process id of the server, which is useful for sending a signal to the server process or for checking on the health of the process.

Rationale:

If the PidFile is placed in a writable directory, other accounts could create a denial of service attack and prevent the server from starting by creating a PID file with the same name.

Solution

Find the directory in which the PidFile would be created. The default value is the ServerRoot/logs directory.

Modify the directory if the PidFile is in a directory within the Apache 'DocumentRoot'.

Change the ownership and group to be root:root, if not already.

Change the permissions so that the directory is only writable by root, or the user under which Apache initially starts up (default is root).

Default Value:

The default process ID file is logs/httpd.pid.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 233747919e3300f1e6b26cb1eb1771df9beafbdca56353584d0569d60934538f